2. Cross-site scripting (reflected)
Severity: | High |
Confidence: | Certain |
Host: | https://auth.verizon.com |
Path: | /amserver/UI/Login |
GET /amserver/UI/Login?realm Host: auth.verizon.com Connection: keep-alive Accept: application/xml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,* Cookie: RegistrationApp=SessionId |
HTTP/1.1 302 Moved Temporarily Server: Sun-ONE-Web-Server/6.1 Date: Sat, 20 Nov 2010 02:15:45 GMT Content-length: 0 Content-type: text/html P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Cache-control: private Pragma: no-cache X-dsameversion: 7 2005Q4 patch5 (Tue Feb 27 17:18:03 2007) SunOS Am_client_type: genericHTML Location: https://www22.verizon.com e6a869cb573 Set-cookie: JSESSIONID=551CF2532 Set-cookie: AMAuthCookie=AQIC5wM Set-cookie: amlbcookie=03;Domain= Set-cookie: AMAuthCookie=LOGOUT Connection: close |
Severity: | High |
Confidence: | Firm |
Host: | https://auth.verizon.com |
Path: | /amserver/UI/Login |
GET /amserver/UI/Login?realm Host: auth.verizon.com Connection: keep-alive Accept: application/xml User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,* Cookie: RegistrationApp=SessionId |
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET ETag: X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: private, max-age=7200 Date: Sat, 20 Nov 2010 02:15:21 GMT Connection: keep-alive Connection: Transfer-Encoding Set-Cookie: ASPSESSIONIDSCSBQTCB Set-Cookie: NSC_xxx22_tqmbu_mcw Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 02:20:21 GMT; path=/myverizon/; domain=verizon.com Content-Length: 129007 <!-- Vignette V6 Fri Nov 19 18:15:20 2010 --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Verizon | My Verizon Sign In - Online Account Management</title> ...[SNIP]... window.location.href= } function fnSetSessionCookie(name document.cookie=name+"=" } var strRemOpt=""; var strMyVzCom=f ...[SNIP]... |